chore: run pods as non-root user

2023-09-11 00:18:13 +02:00 · 2023-09-11 00:18:13 +02:00 · cf06fcf2c5
parent 8a699c8039
commit cf06fcf2c5
7 changed files with 17 additions and 0 deletions
--- a/deploy/base/deploy-drone-runner.yaml
+++ b/deploy/base/deploy-drone-runner.yaml
@ -7,6 +7,8 @@ metadata:
    component: runner
    app.kubernetes.io/name: drone-runner
    app.kubernetes.io/instance: drone-runner
+  annotations:
+    ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
 spec:
  selector:
    matchLabels:
--- a/deploy/base/deploy-drone.yaml
+++ b/deploy/base/deploy-drone.yaml
@ -7,6 +7,8 @@ metadata:
    component: web
    app.kubernetes.io/name: drone
    app.kubernetes.io/instance: drone
+  annotations:
+    ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
 spec:
  selector:
    matchLabels:
--- a/deploy/base/deploy-element.yaml
+++ b/deploy/base/deploy-element.yaml
@ -9,6 +9,7 @@ metadata:
    app.kubernetes.io/instance: element
  annotations:
    ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration"
+    ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
 spec:
  selector:
    matchLabels:
--- a/deploy/base/deploy-invidious.yaml
+++ b/deploy/base/deploy-invidious.yaml
@ -20,6 +20,10 @@ spec:
        app.kubernetes.io/name: invidious
        app.kubernetes.io/instance: invidious
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
      initContainers:
      - image: alpine/git:2.40.1
        imagePullPolicy: IfNotPresent
--- a/deploy/base/deploy-netflux-homepage.yaml
+++ b/deploy/base/deploy-netflux-homepage.yaml
@ -7,6 +7,8 @@ metadata:
    component: web
    app.kubernetes.io/name: netflux-homepage
    app.kubernetes.io/instance: netflux-homepage
+  annotations:
+    ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
 spec:
  selector:
    matchLabels:
--- a/deploy/base/deploy-solar-toolkit-gateway.yaml
+++ b/deploy/base/deploy-solar-toolkit-gateway.yaml
@ -7,6 +7,8 @@ metadata:
    component: web
    app.kubernetes.io/name: solar-toolkit-gateway
    app.kubernetes.io/instance: solar-toolkit-gateway
+  annotations:
+    ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
 spec:
  selector:
    matchLabels:
--- a/deploy/base/statefulset-radicale.yaml
+++ b/deploy/base/statefulset-radicale.yaml
@ -21,6 +21,10 @@ spec:
        app.kubernetes.io/name: radicale
        app.kubernetes.io/instance: radicale
    spec:
+      securityContext:
+        runAsUser: 2999
+        runAsGroup: 2999
+        runAsNonRoot: true
      containers:
      - name: radicale
        image: tomsquest/docker-radicale:3.1.8.3