From cf06fcf2c5aea24988b3396e30dfa18ad61b708e Mon Sep 17 00:00:00 2001 From: Rob Watson Date: Mon, 11 Sep 2023 00:18:13 +0200 Subject: [PATCH] chore: run pods as non-root user --- deploy/base/deploy-drone-runner.yaml | 2 ++ deploy/base/deploy-drone.yaml | 2 ++ deploy/base/deploy-element.yaml | 1 + deploy/base/deploy-invidious.yaml | 4 ++++ deploy/base/deploy-netflux-homepage.yaml | 2 ++ deploy/base/deploy-solar-toolkit-gateway.yaml | 2 ++ deploy/base/statefulset-radicale.yaml | 4 ++++ 7 files changed, 17 insertions(+) diff --git a/deploy/base/deploy-drone-runner.yaml b/deploy/base/deploy-drone-runner.yaml index bcacc8e..75612f4 100644 --- a/deploy/base/deploy-drone-runner.yaml +++ b/deploy/base/deploy-drone-runner.yaml @@ -7,6 +7,8 @@ metadata: component: runner app.kubernetes.io/name: drone-runner app.kubernetes.io/instance: drone-runner + annotations: + ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented" spec: selector: matchLabels: diff --git a/deploy/base/deploy-drone.yaml b/deploy/base/deploy-drone.yaml index 3b3c99c..24df261 100644 --- a/deploy/base/deploy-drone.yaml +++ b/deploy/base/deploy-drone.yaml @@ -7,6 +7,8 @@ metadata: component: web app.kubernetes.io/name: drone app.kubernetes.io/instance: drone + annotations: + ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented" spec: selector: matchLabels: diff --git a/deploy/base/deploy-element.yaml b/deploy/base/deploy-element.yaml index 3fcc193..41f4004 100644 --- a/deploy/base/deploy-element.yaml +++ b/deploy/base/deploy-element.yaml @@ -9,6 +9,7 @@ metadata: app.kubernetes.io/instance: element annotations: ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration" + ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented" spec: selector: matchLabels: diff --git a/deploy/base/deploy-invidious.yaml b/deploy/base/deploy-invidious.yaml index 6aee76c..c24f105 100644 --- a/deploy/base/deploy-invidious.yaml +++ b/deploy/base/deploy-invidious.yaml @@ -20,6 +20,10 @@ spec: app.kubernetes.io/name: invidious app.kubernetes.io/instance: invidious spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true initContainers: - image: alpine/git:2.40.1 imagePullPolicy: IfNotPresent diff --git a/deploy/base/deploy-netflux-homepage.yaml b/deploy/base/deploy-netflux-homepage.yaml index c74b3de..a18fc88 100644 --- a/deploy/base/deploy-netflux-homepage.yaml +++ b/deploy/base/deploy-netflux-homepage.yaml @@ -7,6 +7,8 @@ metadata: component: web app.kubernetes.io/name: netflux-homepage app.kubernetes.io/instance: netflux-homepage + annotations: + ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented" spec: selector: matchLabels: diff --git a/deploy/base/deploy-solar-toolkit-gateway.yaml b/deploy/base/deploy-solar-toolkit-gateway.yaml index 77751c1..25b9eeb 100644 --- a/deploy/base/deploy-solar-toolkit-gateway.yaml +++ b/deploy/base/deploy-solar-toolkit-gateway.yaml @@ -7,6 +7,8 @@ metadata: component: web app.kubernetes.io/name: solar-toolkit-gateway app.kubernetes.io/instance: solar-toolkit-gateway + annotations: + ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented" spec: selector: matchLabels: diff --git a/deploy/base/statefulset-radicale.yaml b/deploy/base/statefulset-radicale.yaml index fafd69b..e37e9c3 100644 --- a/deploy/base/statefulset-radicale.yaml +++ b/deploy/base/statefulset-radicale.yaml @@ -21,6 +21,10 @@ spec: app.kubernetes.io/name: radicale app.kubernetes.io/instance: radicale spec: + securityContext: + runAsUser: 2999 + runAsGroup: 2999 + runAsNonRoot: true containers: - name: radicale image: tomsquest/docker-radicale:3.1.8.3