From 5a5cfb284734fdf553cdbded9afd4eb5a0dcf94c Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sun, 8 Feb 2026 11:12:00 -0500 Subject: [PATCH 1/2] fix: remove PUID/PGID env vars from ZNC container LinuxServer s6-overlay requires starting as root to fix directory permissions (/run, etc.) before dropping privileges. Setting PUID/PGID forces immediate UID 1000 start, causing permission errors: "fatal: /run belongs to uid 0 instead of 1000" Let the container run as root with existing Polaris exemptions. The s6-overlay init system handles privilege management internally. Fixes CrashLoopBackOff in znc-0 pod. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy --- znc/statefulset.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml index cd1fae4..1781d28 100644 --- a/znc/statefulset.yaml +++ b/znc/statefulset.yaml @@ -27,11 +27,6 @@ spec: containers: - name: znc image: lscr.io/linuxserver/znc:latest - env: - - name: PUID - value: "1000" - - name: PGID - value: "1000" ports: - containerPort: 6501 From 31673ea837c58586dde26e179c1755b5580aaf24 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sun, 8 Feb 2026 11:15:59 -0500 Subject: [PATCH 2/2] chore: add Checkov exemptions for ZNC root container --- .checkov.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.checkov.yaml b/.checkov.yaml index 1c02b14..71b37f6 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -9,3 +9,5 @@ skip-check: - CKV_K8S_14 # Image tag should be fixed (same as above) - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes) - CKV_K8S_40 # Containers should run as high UID (ZNC LinuxServer container needs flexibility) + - CKV_K8S_23 # Minimize admission of root containers (ZNC requires root for s6-overlay init) + - CKV_K8S_20 # Containers should not run with allowPrivilegeEscalation (ZNC needs init flexibility)