fix: revert ZNC security hardening for LinuxServer container

LinuxServer.io containers need to run init scripts with elevated permissions before dropping to the specified PUID/PGID. Reverted to: - Remove restrictive securityContext settings - Use PUID/PGID environment variables (LinuxServer standard) - Add Polaris exemptions for runAsRoot and runAsPrivileged - Add Checkov exemption for high UID requirement This fixes container startup issues introduced by security hardening. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
2026-02-08 11:07:21 -05:00
parent 9a6c78680b
commit a569047275
2 changed files with 12 additions and 22 deletions
@@ -4,7 +4,8 @@ compact: true
 framework:
  - all
 skip-check:
-  - CKV_K8S_21 # Default namespace usage
-  - CKV_K8S_43 # Image tag validation (using latest tags intentionally)
-  - CKV_K8S_14 # Image tag should be fixed (same as above)
-  - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
+  - CKV_K8S_21  # Default namespace usage
+  - CKV_K8S_43  # Image tag validation (using latest tags intentionally)
+  - CKV_K8S_14  # Image tag should be fixed (same as above)
+  - CKV_K8S_22  # Read-only filesystem (IRC apps need to write to volumes)
+  - CKV_K8S_40  # Containers should run as high UID (ZNC LinuxServer container needs flexibility)
@@ -8,6 +8,8 @@ metadata:
  annotations:
    polaris.fairwinds.com/tagNotSpecified-exempt: "true"
    polaris.fairwinds.com/topologySpreadConstraint-exempt: "true"
+    polaris.fairwinds.com/runAsRootAllowed-exempt: "true"
+    polaris.fairwinds.com/runAsPrivileged-exempt: "true"
 spec:
  selector:
    matchLabels:
@@ -22,32 +24,19 @@ spec:
    spec:
      priorityClassName: low-priority
      automountServiceAccountToken: false
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
      containers:
        - name: znc
          image: lscr.io/linuxserver/znc:latest
+          env:
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"

          ports:
            - containerPort: 6501
              name: irc-6501

-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-
          volumeMounts:
            - name: config
              mountPath: "/app/config"