security: implement proper security hardening

Instead of just skipping security checks, properly fix the issues:

**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)

**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)

**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals

**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions

**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
2026-02-08 10:06:36 -05:00
parent 43d6bab89e
commit 9c70b82fb3
4 changed files with 39 additions and 18 deletions
+3 -9
View File
@@ -5,12 +5,6 @@ framework:
- all
skip-check:
- CKV_K8S_21 # Default namespace usage
- CKV_K8S_43 # Image tag validation
- CKV_K8S_40 # High UID requirement
- CKV_K8S_29 # Security context
- CKV_K8S_23 # Root containers
- CKV_K8S_37 # Container capabilities
- CKV_K8S_22 # Read-only filesystem
- CKV_K8S_28 # NET_RAW capability
- CKV_K8S_31 # Seccomp profile
- CKV_K8S_14 # Image tag should be fixed
- CKV_K8S_43 # Image tag validation (using latest tags intentionally)
- CKV_K8S_14 # Image tag should be fixed (same as above)
- CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)