Erich Blume
07e9c810ca
Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan (core_seccomp_profile_docker_default). Applied pod-level seccomp RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
97 lines
2.5 KiB
YAML
97 lines
2.5 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: frigate
|
|
namespace: frigate
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: frigate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: frigate
|
|
spec:
|
|
runtimeClassName: nvidia
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
initContainers:
|
|
- name: copy-config
|
|
image: busybox:kustomized
|
|
command: ["cp", "/config-ro/config.yml", "/config/config.yml"]
|
|
volumeMounts:
|
|
- name: config-ro
|
|
mountPath: /config-ro
|
|
- name: config
|
|
mountPath: /config
|
|
containers:
|
|
- name: frigate
|
|
image: ghcr.io/blakeblackshear/frigate:kustomized
|
|
ports:
|
|
- containerPort: 5000
|
|
name: http
|
|
- containerPort: 8554
|
|
name: rtsp
|
|
- containerPort: 1984
|
|
name: go2rtc
|
|
env:
|
|
- name: FRIGATE_CAMERA_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: frigate-camera
|
|
key: username
|
|
- name: FRIGATE_CAMERA_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: frigate-camera
|
|
key: password
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config
|
|
- name: recordings
|
|
mountPath: /media/frigate
|
|
- name: database
|
|
mountPath: /db
|
|
- name: shm
|
|
mountPath: /dev/shm
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "200m"
|
|
limits:
|
|
memory: "3Gi"
|
|
cpu: "2000m"
|
|
nvidia.com/gpu: "1"
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /api/version
|
|
port: 5000
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /api/version
|
|
port: 5000
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 10
|
|
volumes:
|
|
- name: config-ro
|
|
configMap:
|
|
name: frigate-config
|
|
- name: config
|
|
emptyDir: {}
|
|
- name: recordings
|
|
persistentVolumeClaim:
|
|
claimName: frigate-recordings
|
|
- name: database
|
|
persistentVolumeClaim:
|
|
claimName: frigate-database
|
|
- name: shm
|
|
emptyDir:
|
|
medium: Memory
|
|
sizeLimit: 512Mi
|