security: implement proper security hardening
Instead of just skipping security checks, properly fix the issues: **Pod & Container Security Context:** - Add runAsUser: 1000 (non-root) - Add runAsGroup: 1000 - Add fsGroup: 1000 for volume permissions - Add seccompProfile: RuntimeDefault - Drop ALL capabilities (principle of least privilege) **Resource Management:** - Add ephemeral-storage requests (1Gi) and limits (2Gi) **Health Checks:** - Change thelounge liveness probe from TCP to HTTP - Reduces false positives and provides better health signals **Reduced Exceptions:** - Removed 6+ security check exceptions - Now only skip: image tags (intentional), read-only FS (apps need writes) - Removed Polaris runAsRootAllowed exemptions **Note:** If containers fail to start post-merge, may need to adjust UIDs or add specific capabilities. LinuxServer images may need tweaking. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
+3
-9
@@ -5,12 +5,6 @@ framework:
|
||||
- all
|
||||
skip-check:
|
||||
- CKV_K8S_21 # Default namespace usage
|
||||
- CKV_K8S_43 # Image tag validation
|
||||
- CKV_K8S_40 # High UID requirement
|
||||
- CKV_K8S_29 # Security context
|
||||
- CKV_K8S_23 # Root containers
|
||||
- CKV_K8S_37 # Container capabilities
|
||||
- CKV_K8S_22 # Read-only filesystem
|
||||
- CKV_K8S_28 # NET_RAW capability
|
||||
- CKV_K8S_31 # Seccomp profile
|
||||
- CKV_K8S_14 # Image tag should be fixed
|
||||
- CKV_K8S_43 # Image tag validation (using latest tags intentionally)
|
||||
- CKV_K8S_14 # Image tag should be fixed (same as above)
|
||||
- CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
|
||||
|
||||
Reference in New Issue
Block a user