eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers
History
Erich Blume de476bab45
All checks were successful
Build Container / build (push) Successful in 28s
Details
Run navidrome as non-root user with fsGroup for volume access 
Instead of running as root, create a dedicated navidrome user (UID 1000)
in the container and use Kubernetes fsGroup to ensure PVC volumes are
writable. This provides defense-in-depth against container escape attacks.

- Dockerfile: add navidrome user/group (1000), set USER 1000
- Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup)
- Deployment: add container securityContext (runAsNonRoot, no privilege escalation)
- Bump image to v1.0.3 (v1.0.2 was built without these changes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 08:07:36 -08:00
..
cv Add CV/resume web app at cv.ops.eblu.me (#169) 2026-02-12 11:09:41 -08:00
devpi Build local containers for k8s services (#61) 2026-01-25 21:35:57 -08:00
forgejo-runner Upgrade Node.js from 20 to 22 LTS (#182) 2026-02-13 11:07:41 -08:00
kiwix-serve Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
kubectl Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
miniflux Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
navidrome Run navidrome as non-root user with fsGroup for volume access 2026-02-16 08:07:36 -08:00
nettest Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00
quartz Phase 1b: Deploy docs hosting with Quartz (#85) 2026-02-03 10:52:20 -08:00
teslamate Build local containers for k8s services (#61) 2026-01-25 21:35:57 -08:00
transmission Tier 1 version bumps (#186) 2026-02-13 17:16:37 -08:00