Run navidrome as non-root user with fsGroup for volume access

Instead of running as root, create a dedicated navidrome user (UID 1000) in the container and use Kubernetes fsGroup to ensure PVC volumes are writable. This provides defense-in-depth against container escape attacks. - Dockerfile: add navidrome user/group (1000), set USER 1000 - Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup) - Deployment: add container securityContext (runAsNonRoot, no privilege escalation) - Bump image to v1.0.3 (v1.0.2 was built without these changes) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 08:07:36 -08:00 · 2026-02-16 08:07:36 -08:00 · de476bab45
commit de476bab45
parent 2639647632
3 changed files with 13 additions and 3 deletions
--- a/argocd/manifests/navidrome/deployment.yaml
+++ b/argocd/manifests/navidrome/deployment.yaml
@ -14,9 +14,16 @@ spec:
      labels:
        app: navidrome
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
      containers:
        - name: navidrome
-          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.2
+          image: registry.ops.eblu.me/blumeops/navidrome:v1.0.3
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
          ports:
            - containerPort: 4533
              name: http
--- a/containers/navidrome/Dockerfile
+++ b/containers/navidrome/Dockerfile
@ -42,10 +42,13 @@ LABEL org.opencontainers.image.description="Navidrome is a self-hosted music ser
 # Points to upstream canonical source, not the forge mirror used for builds
 LABEL org.opencontainers.image.source=https://github.com/navidrome/navidrome

-RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg
+RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg \
+ && addgroup -g 1000 navidrome \
+ && adduser -u 1000 -G navidrome -D navidrome

 COPY --from=build /navidrome /usr/bin/navidrome

 EXPOSE 4533

+USER 1000
 CMD ["/usr/bin/navidrome"]
--- a/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
+++ b/docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
@ -1 +1 @@
-Fix navidrome custom container image (removed non-root user that prevented SQLite writes)
+Switch navidrome to custom container image with dedicated non-root user and fsGroup security context