From 2516f0a47f6f145c0cb5d9f14d9570bedbfc00af Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sat, 17 Jan 2026 11:26:10 -0500
Subject: [PATCH] adjust security settings

---
 kustomization.yaml         | 2 ++
 thelounge/statefulset.yaml | 5 +++++
 znc/statefulset.yaml       | 6 +++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/kustomization.yaml b/kustomization.yaml
index eec9257..b39072c 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -1,5 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+# Uncomment if storing configuration in the repo
+# - configmap.yaml
   - ./thelounge
   - ./znc
diff --git a/thelounge/statefulset.yaml b/thelounge/statefulset.yaml
index 85277db..0b2029d 100644
--- a/thelounge/statefulset.yaml
+++ b/thelounge/statefulset.yaml
@@ -14,10 +14,15 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: thelounge
+        app.kubernetes.io/instance: thelounge
     spec:
+      priorityClassName: low-priority
       containers:
       - name: thelounge
         image: ghcr.io/thelounge/thelounge:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
         - containerPort: 9000
           name: http-9000
diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml
index 7a23d95..88b8635 100644
--- a/znc/statefulset.yaml
+++ b/znc/statefulset.yaml
@@ -15,9 +15,13 @@ spec:
       labels:
         app.kubernetes.io/name: znc
     spec:
+      priorityClassName: low-priority
       containers:
       - name: znc
-        image: lscr.io/linuxserver/znc:latest
+        image: lscr.io/linuxserver/znc:latest    
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
         - containerPort: 6501
           name: irc-6501