From 924325ebd51c91f60895ccf784105b312f247002 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 29 Mar 2026 17:09:57 -0700
Subject: [PATCH] Fix DinD seccomp profile broken by RuntimeDefault rollout

The pod-level RuntimeDefault seccomp profile (07e9c81) overrides the
DinD sidecar's privileged flag in newer Kubernetes versions, blocking
Docker daemon syscalls. Set Unconfined explicitly on the DinD container
while keeping RuntimeDefault on the runner container.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/deployment.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 1eda6dc..c793895 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -74,6 +74,8 @@ spec:
           image: docker:kustomized
           securityContext:
             privileged: true
+            seccompProfile:
+              type: Unconfined
           env:
             - name: DOCKER_TLS_CERTDIR
               value: ""