eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add RuntimeDefault seccomp profiles to all managed workloads

Browse source 
Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan
(core_seccomp_profile_docker_default). Applied pod-level seccomp
RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-24 16:19:40 -07:00
commit 07e9c810ca
21 changed files with 55 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
argocd/manifests/cv/deployment.yaml
View file

@ -19,6 +19,9 @@ spec:
labels: labels:
app: cv app: cv
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: cv - name: cv
image: registry.ops.eblu.me/blumeops/cv:kustomized image: registry.ops.eblu.me/blumeops/cv:kustomized

2
argocd/manifests/devpi/statefulset.yaml
View file

@ -16,6 +16,8 @@ spec:
spec: spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: devpi - name: devpi
image: registry.ops.eblu.me/blumeops/devpi:kustomized image: registry.ops.eblu.me/blumeops/devpi:kustomized

3
argocd/manifests/docs/deployment.yaml
View file

@ -19,6 +19,9 @@ spec:
labels: labels:
app: docs app: docs
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: docs - name: docs
image: registry.ops.eblu.me/blumeops/quartz:kustomized image: registry.ops.eblu.me/blumeops/quartz:kustomized

3
argocd/manifests/forgejo-runner/deployment.yaml
View file

@ -15,6 +15,9 @@ spec:
labels: labels:
app: forgejo-runner app: forgejo-runner
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
# Forgejo runner daemon # Forgejo runner daemon
- name: runner - name: runner

3
argocd/manifests/frigate/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
app: frigate app: frigate
spec: spec:
runtimeClassName: nvidia runtimeClassName: nvidia
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers: initContainers:
- name: copy-config - name: copy-config
image: busybox:kustomized image: busybox:kustomized

2
argocd/manifests/homepage/deployment.yaml
View file

@ -18,6 +18,8 @@ spec:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
fsGroup: 1000 fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: homepage - name: homepage
image: registry.ops.eblu.me/blumeops/homepage:kustomized image: registry.ops.eblu.me/blumeops/homepage:kustomized

3
argocd/manifests/kiwix/cronjob-zim-watcher.yaml
View file

@ -13,6 +13,9 @@ spec:
template: template:
spec: spec:
serviceAccountName: zim-watcher serviceAccountName: zim-watcher
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: watcher - name: watcher
image: registry.ops.eblu.me/blumeops/kubectl:kustomized image: registry.ops.eblu.me/blumeops/kubectl:kustomized

3
argocd/manifests/kiwix/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
labels: labels:
app: kiwix app: kiwix
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
# Main kiwix-serve container # Main kiwix-serve container
- name: kiwix-serve - name: kiwix-serve

2
argocd/manifests/loki/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 10001 fsGroup: 10001
runAsNonRoot: true runAsNonRoot: true
runAsUser: 10001 runAsUser: 10001
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: loki - name: loki
image: grafana/loki:kustomized image: grafana/loki:kustomized

3
argocd/manifests/mealie/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels: labels:
app: mealie app: mealie
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: mealie - name: mealie
image: registry.ops.eblu.me/blumeops/mealie:kustomized image: registry.ops.eblu.me/blumeops/mealie:kustomized

3
argocd/manifests/miniflux/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels: labels:
app: miniflux app: miniflux
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: miniflux - name: miniflux
image: registry.ops.eblu.me/blumeops/miniflux:kustomized image: registry.ops.eblu.me/blumeops/miniflux:kustomized

2
argocd/manifests/navidrome/deployment.yaml
View file

@ -18,6 +18,8 @@ spec:
runAsUser: 1000 runAsUser: 1000
runAsGroup: 1000 runAsGroup: 1000
fsGroup: 1000 fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: navidrome - name: navidrome
image: registry.ops.eblu.me/blumeops/navidrome:kustomized image: registry.ops.eblu.me/blumeops/navidrome:kustomized

3
argocd/manifests/ntfy/deployment.yaml
View file

@ -14,6 +14,9 @@ spec:
labels: labels:
app: ntfy app: ntfy
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: ntfy - name: ntfy
image: registry.ops.eblu.me/blumeops/ntfy:kustomized image: registry.ops.eblu.me/blumeops/ntfy:kustomized

3
argocd/manifests/ollama/deployment.yaml
View file

@ -17,6 +17,9 @@ spec:
app: ollama app: ollama
spec: spec:
runtimeClassName: nvidia runtimeClassName: nvidia
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: ollama - name: ollama
image: ollama/ollama:kustomized image: ollama/ollama:kustomized

2
argocd/manifests/prometheus/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 65534 fsGroup: 65534
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: prometheus - name: prometheus
image: registry.ops.eblu.me/blumeops/prometheus:kustomized image: registry.ops.eblu.me/blumeops/prometheus:kustomized

3
argocd/manifests/prowler/cronjob.yaml
View file

@ -12,6 +12,9 @@ spec:
template: template:
spec: spec:
serviceAccountName: prowler serviceAccountName: prowler
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: prowler - name: prowler
image: registry.ops.eblu.me/blumeops/prowler:kustomized image: registry.ops.eblu.me/blumeops/prowler:kustomized

2
argocd/manifests/tempo/statefulset.yaml
View file

@ -18,6 +18,8 @@ spec:
fsGroup: 10001 fsGroup: 10001
runAsNonRoot: true runAsNonRoot: true
runAsUser: 10001 runAsUser: 10001
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: tempo - name: tempo
image: grafana/tempo:kustomized image: grafana/tempo:kustomized

3
argocd/manifests/teslamate/deployment.yaml
View file

@ -13,6 +13,9 @@ spec:
labels: labels:
app: teslamate app: teslamate
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: teslamate - name: teslamate
image: registry.ops.eblu.me/blumeops/teslamate:kustomized image: registry.ops.eblu.me/blumeops/teslamate:kustomized

3
argocd/manifests/torrent/deployment.yaml
View file

@ -14,6 +14,9 @@ spec:
labels: labels:
app: transmission app: transmission
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: transmission - name: transmission
image: registry.ops.eblu.me/blumeops/transmission:kustomized image: registry.ops.eblu.me/blumeops/transmission:kustomized

3
argocd/manifests/unpoller/deployment.yaml
View file

@ -15,6 +15,9 @@ spec:
labels: labels:
app: unpoller app: unpoller
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: unpoller - name: unpoller
image: registry.ops.eblu.me/blumeops/unpoller:kustomized image: registry.ops.eblu.me/blumeops/unpoller:kustomized

1
docs/changelog.d/+seccomp-profiles.infra.md Normal file
View file

@ -0,0 +1 @@
Add RuntimeDefault seccomp profiles to all managed deployments, statefulsets, and cronjobs.