diff --git a/.checkov.yaml b/.checkov.yaml index 1b8debd..1c02b14 100644 --- a/.checkov.yaml +++ b/.checkov.yaml @@ -4,7 +4,8 @@ compact: true framework: - all skip-check: - - CKV_K8S_21 # Default namespace usage - - CKV_K8S_43 # Image tag validation (using latest tags intentionally) - - CKV_K8S_14 # Image tag should be fixed (same as above) - - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes) + - CKV_K8S_21 # Default namespace usage + - CKV_K8S_43 # Image tag validation (using latest tags intentionally) + - CKV_K8S_14 # Image tag should be fixed (same as above) + - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes) + - CKV_K8S_40 # Containers should run as high UID (ZNC LinuxServer container needs flexibility) diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml index 6311f84..cd1fae4 100644 --- a/znc/statefulset.yaml +++ b/znc/statefulset.yaml @@ -8,6 +8,8 @@ metadata: annotations: polaris.fairwinds.com/tagNotSpecified-exempt: "true" polaris.fairwinds.com/topologySpreadConstraint-exempt: "true" + polaris.fairwinds.com/runAsRootAllowed-exempt: "true" + polaris.fairwinds.com/runAsPrivileged-exempt: "true" spec: selector: matchLabels: @@ -22,32 +24,19 @@ spec: spec: priorityClassName: low-priority automountServiceAccountToken: false - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault containers: - name: znc image: lscr.io/linuxserver/znc:latest + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" ports: - containerPort: 6501 name: irc-6501 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - volumeMounts: - name: config mountPath: "/app/config"