eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add RuntimeDefault seccomp profiles to all managed workloads

Browse source 
Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan
(core_seccomp_profile_docker_default). Applied pod-level seccomp
RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-24 16:19:40 -07:00
commit 07e9c810ca
21 changed files with 55 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
argocd/manifests/cv/deployment.yaml
View file

@ -19,6 +19,9 @@ spec:
labels:
app: cv
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: cv
image: registry.ops.eblu.me/blumeops/cv:kustomized

2
argocd/manifests/devpi/statefulset.yaml
View file

@ -16,6 +16,8 @@ spec:
spec:
securityContext:
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: devpi
image: registry.ops.eblu.me/blumeops/devpi:kustomized

3
argocd/manifests/docs/deployment.yaml
View file

@ -19,6 +19,9 @@ spec:
labels:
app: docs
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: docs
image: registry.ops.eblu.me/blumeops/quartz:kustomized

3
argocd/manifests/forgejo-runner/deployment.yaml
View file

@ -15,6 +15,9 @@ spec:
labels:
app: forgejo-runner
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
# Forgejo runner daemon
- name: runner

3
argocd/manifests/frigate/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
app: frigate
spec:
runtimeClassName: nvidia
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers:
- name: copy-config
image: busybox:kustomized

2
argocd/manifests/homepage/deployment.yaml
View file

@ -18,6 +18,8 @@ spec:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: homepage
image: registry.ops.eblu.me/blumeops/homepage:kustomized

3
argocd/manifests/kiwix/cronjob-zim-watcher.yaml
View file

@ -13,6 +13,9 @@ spec:
template:
spec:
serviceAccountName: zim-watcher
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: watcher
image: registry.ops.eblu.me/blumeops/kubectl:kustomized

3
argocd/manifests/kiwix/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
labels:
app: kiwix
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
# Main kiwix-serve container
- name: kiwix-serve

2
argocd/manifests/loki/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
containers:
- name: loki
image: grafana/loki:kustomized

3
argocd/manifests/mealie/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels:
app: mealie
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: mealie
image: registry.ops.eblu.me/blumeops/mealie:kustomized

3
argocd/manifests/miniflux/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels:
app: miniflux
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: miniflux
image: registry.ops.eblu.me/blumeops/miniflux:kustomized

2
argocd/manifests/navidrome/deployment.yaml
View file

@ -18,6 +18,8 @@ spec:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: navidrome
image: registry.ops.eblu.me/blumeops/navidrome:kustomized

3
argocd/manifests/ntfy/deployment.yaml
View file

@ -14,6 +14,9 @@ spec:
labels:
app: ntfy
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: ntfy
image: registry.ops.eblu.me/blumeops/ntfy:kustomized

3
argocd/manifests/ollama/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
app: ollama
spec:
runtimeClassName: nvidia
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: ollama
image: ollama/ollama:kustomized

2
argocd/manifests/prometheus/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
containers:
- name: prometheus
image: registry.ops.eblu.me/blumeops/prometheus:kustomized

3
argocd/manifests/prowler/cronjob.yaml
View file

@ -12,6 +12,9 @@ spec:
template:
spec:
serviceAccountName: prowler
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: prowler
image: registry.ops.eblu.me/blumeops/prowler:kustomized

2
argocd/manifests/tempo/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
containers:
- name: tempo
image: grafana/tempo:kustomized

3
argocd/manifests/teslamate/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels:
app: teslamate
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: teslamate
image: registry.ops.eblu.me/blumeops/teslamate:kustomized

3
argocd/manifests/torrent/deployment.yaml
View file

@ -14,6 +14,9 @@ spec:
labels:
app: transmission
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: transmission
image: registry.ops.eblu.me/blumeops/transmission:kustomized

3
argocd/manifests/unpoller/deployment.yaml
View file

@ -15,6 +15,9 @@ spec:
labels:
app: unpoller
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: unpoller
image: registry.ops.eblu.me/blumeops/unpoller:kustomized

1
docs/changelog.d/+seccomp-profiles.infra.md Normal file
View file

@ -0,0 +1 @@
Add RuntimeDefault seccomp profiles to all managed deployments, statefulsets, and cronjobs.