From 18fe172a54c9b9746e9b327325b6d8c74691aeb8 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 6 Apr 2026 10:21:23 -0700
Subject: [PATCH] Add seccomp RuntimeDefault profiles to alloy-k8s and immich
 pods

Resolves 4 unmuted Prowler core_seccomp_profile_docker_default
findings on alloy, immich-server, immich-machine-learning, and
immich-valkey.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/alloy-k8s/daemonset.yaml      | 2 ++
 argocd/manifests/immich/deployment-ml.yaml     | 3 +++
 argocd/manifests/immich/deployment-server.yaml | 3 +++
 argocd/manifests/immich/deployment-valkey.yaml | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/argocd/manifests/alloy-k8s/daemonset.yaml b/argocd/manifests/alloy-k8s/daemonset.yaml
index 60b8883..f1758cd 100644
--- a/argocd/manifests/alloy-k8s/daemonset.yaml
+++ b/argocd/manifests/alloy-k8s/daemonset.yaml
@@ -17,6 +17,8 @@ spec:
       serviceAccountName: alloy
       securityContext:
         fsGroup: 473  # alloy user group
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: alloy
           image: registry.ops.eblu.me/blumeops/alloy:kustomized
diff --git a/argocd/manifests/immich/deployment-ml.yaml b/argocd/manifests/immich/deployment-ml.yaml
index d55898d..57c4242 100644
--- a/argocd/manifests/immich/deployment-ml.yaml
+++ b/argocd/manifests/immich/deployment-ml.yaml
@@ -16,6 +16,9 @@ spec:
         app: immich
         component: machine-learning
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: machine-learning
           image: ghcr.io/immich-app/immich-machine-learning:kustomized
diff --git a/argocd/manifests/immich/deployment-server.yaml b/argocd/manifests/immich/deployment-server.yaml
index 56e920a..8ac7ab0 100644
--- a/argocd/manifests/immich/deployment-server.yaml
+++ b/argocd/manifests/immich/deployment-server.yaml
@@ -16,6 +16,9 @@ spec:
         app: immich
         component: server
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: server
           image: ghcr.io/immich-app/immich-server:kustomized
diff --git a/argocd/manifests/immich/deployment-valkey.yaml b/argocd/manifests/immich/deployment-valkey.yaml
index 4034f94..1cf3346 100644
--- a/argocd/manifests/immich/deployment-valkey.yaml
+++ b/argocd/manifests/immich/deployment-valkey.yaml
@@ -18,6 +18,9 @@ spec:
         app: immich
         component: valkey
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: valkey
           image: docker.io/valkey/valkey:kustomized