diff --git a/.checkov.yaml b/.checkov.yaml index cc13ab5..1b8debd 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -5,12 +5,6 @@ framework: - all skip-check: - CKV_K8S_21 # Default namespace usage - - CKV_K8S_43 # Image tag validation - - CKV_K8S_40 # High UID requirement - - CKV_K8S_29 # Security context - - CKV_K8S_23 # Root containers - - CKV_K8S_37 # Container capabilities - - CKV_K8S_22 # Read-only filesystem - - CKV_K8S_28 # NET_RAW capability - - CKV_K8S_31 # Seccomp profile - - CKV_K8S_14 # Image tag should be fixed + - CKV_K8S_43 # Image tag validation (using latest tags intentionally) + - CKV_K8S_14 # Image tag should be fixed (same as above) + - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes) diff --git a/.gitea/workflows/best-practices.yaml b/.gitea/workflows/best-practices.yaml index df1d813..013659c 100644 --- a/.gitea/workflows/best-practices.yaml +++ b/.gitea/workflows/best-practices.yaml @@ -37,12 +37,8 @@ jobs: kubectl kustomize . | kube-score score - \ --ignore-test pod-networkpolicy \ --ignore-test deployment-has-poddisruptionbudget \ - --ignore-test container-security-context-user-group-id \ --ignore-test container-security-context-readonlyrootfilesystem \ - --ignore-test statefulset-has-servicename \ --ignore-test container-image-tag \ - --ignore-test container-ephemeral-storage-request-and-limit \ - --ignore-test probe-not-identical \ --output-format ci fi diff --git a/thelounge/statefulset.yaml b/thelounge/statefulset.yaml index 5046562..6be3032 100644 --- a/thelounge/statefulset.yaml +++ b/thelounge/statefulset.yaml @@ -6,7 +6,6 @@ metadata: app.kubernetes.io/name: thelounge app.kubernetes.io/instance: thelounge annotations: - polaris.fairwinds.com/runAsRootAllowed-exempt: "true" polaris.fairwinds.com/tagNotSpecified-exempt: "true" polaris.fairwinds.com/topologySpreadConstraint-exempt: "true" spec: @@ -24,11 +23,26 @@ spec: spec: priorityClassName: low-priority automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: thelounge image: ghcr.io/thelounge/thelounge:latest securityContext: allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ports: - containerPort: 9000 name: http-9000 @@ -39,11 +53,14 @@ spec: requests: cpu: "100m" memory: "256Mi" + ephemeral-storage: "1Gi" limits: cpu: "500m" memory: "512Mi" + ephemeral-storage: "2Gi" livenessProbe: - tcpSocket: + httpGet: + path: / port: 9000 initialDelaySeconds: 20 periodSeconds: 10 diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml index c67df76..f75aa29 100644 --- a/znc/statefulset.yaml +++ b/znc/statefulset.yaml @@ -6,7 +6,6 @@ metadata: app.kubernetes.io/name: znc app.kubernetes.io/instance: znc annotations: - polaris.fairwinds.com/runAsRootAllowed-exempt: "true" polaris.fairwinds.com/tagNotSpecified-exempt: "true" polaris.fairwinds.com/topologySpreadConstraint-exempt: "true" spec: @@ -24,6 +23,13 @@ spec: spec: priorityClassName: low-priority automountServiceAccountToken: false + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: znc image: lscr.io/linuxserver/znc:latest @@ -33,9 +39,15 @@ spec: name: irc-6501 securityContext: - runAsNonRoot: false allowPrivilegeEscalation: false - privileged: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - name: config @@ -45,9 +57,11 @@ spec: requests: memory: "256Mi" cpu: "100m" + ephemeral-storage: "1Gi" limits: memory: "512Mi" cpu: "500m" + ephemeral-storage: "2Gi" livenessProbe: tcpSocket: