Add seccomp RuntimeDefault profiles to alloy-k8s and immich pods

Resolves 4 unmuted Prowler core_seccomp_profile_docker_default findings on alloy, immich-server, immich-machine-learning, and immich-valkey. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 10:21:23 -07:00 · 2026-04-06 10:21:23 -07:00 · 18fe172a54
commit 18fe172a54
parent a059d81314
4 changed files with 11 additions and 0 deletions
--- a/argocd/manifests/alloy-k8s/daemonset.yaml
+++ b/argocd/manifests/alloy-k8s/daemonset.yaml
@ -17,6 +17,8 @@ spec:
      serviceAccountName: alloy
      securityContext:
        fsGroup: 473  # alloy user group
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: alloy
          image: registry.ops.eblu.me/blumeops/alloy:kustomized
--- a/argocd/manifests/immich/deployment-ml.yaml
+++ b/argocd/manifests/immich/deployment-ml.yaml
@ -16,6 +16,9 @@ spec:
        app: immich
        component: machine-learning
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: machine-learning
          image: ghcr.io/immich-app/immich-machine-learning:kustomized
--- a/argocd/manifests/immich/deployment-server.yaml
+++ b/argocd/manifests/immich/deployment-server.yaml
@ -16,6 +16,9 @@ spec:
        app: immich
        component: server
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: server
          image: ghcr.io/immich-app/immich-server:kustomized
--- a/argocd/manifests/immich/deployment-valkey.yaml
+++ b/argocd/manifests/immich/deployment-valkey.yaml
@ -18,6 +18,9 @@ spec:
        app: immich
        component: valkey
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: valkey
          image: docker.io/valkey/valkey:kustomized