From 07e9c810ca61a336a779026e6fbe48772f71eb45 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 24 Mar 2026 16:19:40 -0700 Subject: [PATCH] Add RuntimeDefault seccomp profiles to all managed workloads Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan (core_seccomp_profile_docker_default). Applied pod-level seccomp RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs. Co-Authored-By: Claude Opus 4.6 (1M context) --- argocd/manifests/cv/deployment.yaml | 3 +++ argocd/manifests/devpi/statefulset.yaml | 2 ++ argocd/manifests/docs/deployment.yaml | 3 +++ argocd/manifests/forgejo-runner/deployment.yaml | 3 +++ argocd/manifests/frigate/deployment.yaml | 3 +++ argocd/manifests/homepage/deployment.yaml | 2 ++ argocd/manifests/kiwix/cronjob-zim-watcher.yaml | 3 +++ argocd/manifests/kiwix/deployment.yaml | 3 +++ argocd/manifests/loki/statefulset.yaml | 2 ++ argocd/manifests/mealie/deployment.yaml | 3 +++ argocd/manifests/miniflux/deployment.yaml | 3 +++ argocd/manifests/navidrome/deployment.yaml | 2 ++ argocd/manifests/ntfy/deployment.yaml | 3 +++ argocd/manifests/ollama/deployment.yaml | 3 +++ argocd/manifests/prometheus/statefulset.yaml | 2 ++ argocd/manifests/prowler/cronjob.yaml | 3 +++ argocd/manifests/tempo/statefulset.yaml | 2 ++ argocd/manifests/teslamate/deployment.yaml | 3 +++ argocd/manifests/torrent/deployment.yaml | 3 +++ argocd/manifests/unpoller/deployment.yaml | 3 +++ docs/changelog.d/+seccomp-profiles.infra.md | 1 + 21 files changed, 55 insertions(+) create mode 100644 docs/changelog.d/+seccomp-profiles.infra.md diff --git a/argocd/manifests/cv/deployment.yaml b/argocd/manifests/cv/deployment.yaml index cda0bfe..f2b00e6 100644 --- a/argocd/manifests/cv/deployment.yaml +++ b/argocd/manifests/cv/deployment.yaml @@ -19,6 +19,9 @@ spec: labels: app: cv spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: cv image: registry.ops.eblu.me/blumeops/cv:kustomized diff --git a/argocd/manifests/devpi/statefulset.yaml b/argocd/manifests/devpi/statefulset.yaml index bd383d9..91875df 100644 --- a/argocd/manifests/devpi/statefulset.yaml +++ b/argocd/manifests/devpi/statefulset.yaml @@ -16,6 +16,8 @@ spec: spec: securityContext: fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: devpi image: registry.ops.eblu.me/blumeops/devpi:kustomized diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml index 85378f0..5b54ee6 100644 --- a/argocd/manifests/docs/deployment.yaml +++ b/argocd/manifests/docs/deployment.yaml @@ -19,6 +19,9 @@ spec: labels: app: docs spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: docs image: registry.ops.eblu.me/blumeops/quartz:kustomized diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml index f61fb77..1eda6dc 100644 --- a/argocd/manifests/forgejo-runner/deployment.yaml +++ b/argocd/manifests/forgejo-runner/deployment.yaml @@ -15,6 +15,9 @@ spec: labels: app: forgejo-runner spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: # Forgejo runner daemon - name: runner diff --git a/argocd/manifests/frigate/deployment.yaml b/argocd/manifests/frigate/deployment.yaml index ba69a5b..1200e76 100644 --- a/argocd/manifests/frigate/deployment.yaml +++ b/argocd/manifests/frigate/deployment.yaml @@ -17,6 +17,9 @@ spec: app: frigate spec: runtimeClassName: nvidia + securityContext: + seccompProfile: + type: RuntimeDefault initContainers: - name: copy-config image: busybox:kustomized diff --git a/argocd/manifests/homepage/deployment.yaml b/argocd/manifests/homepage/deployment.yaml index 7f66c41..76cbda3 100644 --- a/argocd/manifests/homepage/deployment.yaml +++ b/argocd/manifests/homepage/deployment.yaml @@ -18,6 +18,8 @@ spec: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: homepage image: registry.ops.eblu.me/blumeops/homepage:kustomized diff --git a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml index 2373343..9d5b558 100644 --- a/argocd/manifests/kiwix/cronjob-zim-watcher.yaml +++ b/argocd/manifests/kiwix/cronjob-zim-watcher.yaml @@ -13,6 +13,9 @@ spec: template: spec: serviceAccountName: zim-watcher + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: watcher image: registry.ops.eblu.me/blumeops/kubectl:kustomized diff --git a/argocd/manifests/kiwix/deployment.yaml b/argocd/manifests/kiwix/deployment.yaml index 01532a2..a63fa49 100644 --- a/argocd/manifests/kiwix/deployment.yaml +++ b/argocd/manifests/kiwix/deployment.yaml @@ -17,6 +17,9 @@ spec: labels: app: kiwix spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: # Main kiwix-serve container - name: kiwix-serve diff --git a/argocd/manifests/loki/statefulset.yaml b/argocd/manifests/loki/statefulset.yaml index 3fb9be2..a776d47 100644 --- a/argocd/manifests/loki/statefulset.yaml +++ b/argocd/manifests/loki/statefulset.yaml @@ -18,6 +18,8 @@ spec: fsGroup: 10001 runAsNonRoot: true runAsUser: 10001 + seccompProfile: + type: RuntimeDefault containers: - name: loki image: grafana/loki:kustomized diff --git a/argocd/manifests/mealie/deployment.yaml b/argocd/manifests/mealie/deployment.yaml index 5c522fe..bdcf91e 100644 --- a/argocd/manifests/mealie/deployment.yaml +++ b/argocd/manifests/mealie/deployment.yaml @@ -13,6 +13,9 @@ spec: labels: app: mealie spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: mealie image: registry.ops.eblu.me/blumeops/mealie:kustomized diff --git a/argocd/manifests/miniflux/deployment.yaml b/argocd/manifests/miniflux/deployment.yaml index b5b3239..94e805a 100644 --- a/argocd/manifests/miniflux/deployment.yaml +++ b/argocd/manifests/miniflux/deployment.yaml @@ -13,6 +13,9 @@ spec: labels: app: miniflux spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: miniflux image: registry.ops.eblu.me/blumeops/miniflux:kustomized diff --git a/argocd/manifests/navidrome/deployment.yaml b/argocd/manifests/navidrome/deployment.yaml index 6074d28..e70519c 100644 --- a/argocd/manifests/navidrome/deployment.yaml +++ b/argocd/manifests/navidrome/deployment.yaml @@ -18,6 +18,8 @@ spec: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: navidrome image: registry.ops.eblu.me/blumeops/navidrome:kustomized diff --git a/argocd/manifests/ntfy/deployment.yaml b/argocd/manifests/ntfy/deployment.yaml index 3bbb172..a41387f 100644 --- a/argocd/manifests/ntfy/deployment.yaml +++ b/argocd/manifests/ntfy/deployment.yaml @@ -14,6 +14,9 @@ spec: labels: app: ntfy spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: ntfy image: registry.ops.eblu.me/blumeops/ntfy:kustomized diff --git a/argocd/manifests/ollama/deployment.yaml b/argocd/manifests/ollama/deployment.yaml index 060fe8f..e8864c9 100644 --- a/argocd/manifests/ollama/deployment.yaml +++ b/argocd/manifests/ollama/deployment.yaml @@ -17,6 +17,9 @@ spec: app: ollama spec: runtimeClassName: nvidia + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: ollama image: ollama/ollama:kustomized diff --git a/argocd/manifests/prometheus/statefulset.yaml b/argocd/manifests/prometheus/statefulset.yaml index 5b4bf82..8a8e06f 100644 --- a/argocd/manifests/prometheus/statefulset.yaml +++ b/argocd/manifests/prometheus/statefulset.yaml @@ -18,6 +18,8 @@ spec: fsGroup: 65534 runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault containers: - name: prometheus image: registry.ops.eblu.me/blumeops/prometheus:kustomized diff --git a/argocd/manifests/prowler/cronjob.yaml b/argocd/manifests/prowler/cronjob.yaml index bc00831..545a9c8 100644 --- a/argocd/manifests/prowler/cronjob.yaml +++ b/argocd/manifests/prowler/cronjob.yaml @@ -12,6 +12,9 @@ spec: template: spec: serviceAccountName: prowler + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: prowler image: registry.ops.eblu.me/blumeops/prowler:kustomized diff --git a/argocd/manifests/tempo/statefulset.yaml b/argocd/manifests/tempo/statefulset.yaml index f871ebc..3df5c66 100644 --- a/argocd/manifests/tempo/statefulset.yaml +++ b/argocd/manifests/tempo/statefulset.yaml @@ -18,6 +18,8 @@ spec: fsGroup: 10001 runAsNonRoot: true runAsUser: 10001 + seccompProfile: + type: RuntimeDefault containers: - name: tempo image: grafana/tempo:kustomized diff --git a/argocd/manifests/teslamate/deployment.yaml b/argocd/manifests/teslamate/deployment.yaml index a2f7aca..42859a7 100644 --- a/argocd/manifests/teslamate/deployment.yaml +++ b/argocd/manifests/teslamate/deployment.yaml @@ -13,6 +13,9 @@ spec: labels: app: teslamate spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: teslamate image: registry.ops.eblu.me/blumeops/teslamate:kustomized diff --git a/argocd/manifests/torrent/deployment.yaml b/argocd/manifests/torrent/deployment.yaml index c109861..ab42537 100644 --- a/argocd/manifests/torrent/deployment.yaml +++ b/argocd/manifests/torrent/deployment.yaml @@ -14,6 +14,9 @@ spec: labels: app: transmission spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: transmission image: registry.ops.eblu.me/blumeops/transmission:kustomized diff --git a/argocd/manifests/unpoller/deployment.yaml b/argocd/manifests/unpoller/deployment.yaml index 2f7d13c..44c89b7 100644 --- a/argocd/manifests/unpoller/deployment.yaml +++ b/argocd/manifests/unpoller/deployment.yaml @@ -15,6 +15,9 @@ spec: labels: app: unpoller spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: unpoller image: registry.ops.eblu.me/blumeops/unpoller:kustomized diff --git a/docs/changelog.d/+seccomp-profiles.infra.md b/docs/changelog.d/+seccomp-profiles.infra.md new file mode 100644 index 0000000..c0ee00d --- /dev/null +++ b/docs/changelog.d/+seccomp-profiles.infra.md @@ -0,0 +1 @@ +Add RuntimeDefault seccomp profiles to all managed deployments, statefulsets, and cronjobs.