Add RuntimeDefault seccomp profiles to all managed workloads
Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan (core_seccomp_profile_docker_default). Applied pod-level seccomp RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
87f56f78b3
commit
07e9c810ca
21 changed files with 55 additions and 0 deletions
|
|
@ -19,6 +19,9 @@ spec:
|
|||
labels:
|
||||
app: cv
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: cv
|
||||
image: registry.ops.eblu.me/blumeops/cv:kustomized
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ spec:
|
|||
spec:
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: devpi
|
||||
image: registry.ops.eblu.me/blumeops/devpi:kustomized
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ spec:
|
|||
labels:
|
||||
app: docs
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: docs
|
||||
image: registry.ops.eblu.me/blumeops/quartz:kustomized
|
||||
|
|
|
|||
|
|
@ -15,6 +15,9 @@ spec:
|
|||
labels:
|
||||
app: forgejo-runner
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
# Forgejo runner daemon
|
||||
- name: runner
|
||||
|
|
|
|||
|
|
@ -17,6 +17,9 @@ spec:
|
|||
app: frigate
|
||||
spec:
|
||||
runtimeClassName: nvidia
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: copy-config
|
||||
image: busybox:kustomized
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: homepage
|
||||
image: registry.ops.eblu.me/blumeops/homepage:kustomized
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ spec:
|
|||
template:
|
||||
spec:
|
||||
serviceAccountName: zim-watcher
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: watcher
|
||||
image: registry.ops.eblu.me/blumeops/kubectl:kustomized
|
||||
|
|
|
|||
|
|
@ -17,6 +17,9 @@ spec:
|
|||
labels:
|
||||
app: kiwix
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
# Main kiwix-serve container
|
||||
- name: kiwix-serve
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
fsGroup: 10001
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10001
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: loki
|
||||
image: grafana/loki:kustomized
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ spec:
|
|||
labels:
|
||||
app: mealie
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: mealie
|
||||
image: registry.ops.eblu.me/blumeops/mealie:kustomized
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ spec:
|
|||
labels:
|
||||
app: miniflux
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: miniflux
|
||||
image: registry.ops.eblu.me/blumeops/miniflux:kustomized
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: navidrome
|
||||
image: registry.ops.eblu.me/blumeops/navidrome:kustomized
|
||||
|
|
|
|||
|
|
@ -14,6 +14,9 @@ spec:
|
|||
labels:
|
||||
app: ntfy
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: ntfy
|
||||
image: registry.ops.eblu.me/blumeops/ntfy:kustomized
|
||||
|
|
|
|||
|
|
@ -17,6 +17,9 @@ spec:
|
|||
app: ollama
|
||||
spec:
|
||||
runtimeClassName: nvidia
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: ollama
|
||||
image: ollama/ollama:kustomized
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
fsGroup: 65534
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: prometheus
|
||||
image: registry.ops.eblu.me/blumeops/prometheus:kustomized
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@ spec:
|
|||
template:
|
||||
spec:
|
||||
serviceAccountName: prowler
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: prowler
|
||||
image: registry.ops.eblu.me/blumeops/prowler:kustomized
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
fsGroup: 10001
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10001
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: tempo
|
||||
image: grafana/tempo:kustomized
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ spec:
|
|||
labels:
|
||||
app: teslamate
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: teslamate
|
||||
image: registry.ops.eblu.me/blumeops/teslamate:kustomized
|
||||
|
|
|
|||
|
|
@ -14,6 +14,9 @@ spec:
|
|||
labels:
|
||||
app: transmission
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: transmission
|
||||
image: registry.ops.eblu.me/blumeops/transmission:kustomized
|
||||
|
|
|
|||
|
|
@ -15,6 +15,9 @@ spec:
|
|||
labels:
|
||||
app: unpoller
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: unpoller
|
||||
image: registry.ops.eblu.me/blumeops/unpoller:kustomized
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue