From a5690472759962c765ee8e6f72ff2fd8fc923d62 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 8 Feb 2026 11:07:21 -0500
Subject: [PATCH] fix: revert ZNC security hardening for LinuxServer container

LinuxServer.io containers need to run init scripts with elevated
permissions before dropping to the specified PUID/PGID. Reverted to:
- Remove restrictive securityContext settings
- Use PUID/PGID environment variables (LinuxServer standard)
- Add Polaris exemptions for runAsRoot and runAsPrivileged
- Add Checkov exemption for high UID requirement

This fixes container startup issues introduced by security hardening.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
---
 .checkov.yaml        |  9 +++++----
 znc/statefulset.yaml | 25 +++++++------------------
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/.checkov.yaml b/.checkov.yaml
index 1b8debd..1c02b14 100644
--- a/.checkov.yaml
+++ b/.checkov.yaml
@@ -4,7 +4,8 @@ compact: true
 framework:
   - all
 skip-check:
-  - CKV_K8S_21 # Default namespace usage
-  - CKV_K8S_43 # Image tag validation (using latest tags intentionally)
-  - CKV_K8S_14 # Image tag should be fixed (same as above)
-  - CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
+  - CKV_K8S_21  # Default namespace usage
+  - CKV_K8S_43  # Image tag validation (using latest tags intentionally)
+  - CKV_K8S_14  # Image tag should be fixed (same as above)
+  - CKV_K8S_22  # Read-only filesystem (IRC apps need to write to volumes)
+  - CKV_K8S_40  # Containers should run as high UID (ZNC LinuxServer container needs flexibility)
diff --git a/znc/statefulset.yaml b/znc/statefulset.yaml
index 6311f84..cd1fae4 100644
--- a/znc/statefulset.yaml
+++ b/znc/statefulset.yaml
@@ -8,6 +8,8 @@ metadata:
   annotations:
     polaris.fairwinds.com/tagNotSpecified-exempt: "true"
     polaris.fairwinds.com/topologySpreadConstraint-exempt: "true"
+    polaris.fairwinds.com/runAsRootAllowed-exempt: "true"
+    polaris.fairwinds.com/runAsPrivileged-exempt: "true"
 spec:
   selector:
     matchLabels:
@@ -22,32 +24,19 @@ spec:
     spec:
       priorityClassName: low-priority
       automountServiceAccountToken: false
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
       containers:
         - name: znc
           image: lscr.io/linuxserver/znc:latest
+          env:
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
 
           ports:
             - containerPort: 6501
               name: irc-6501
 
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-
           volumeMounts:
             - name: config
               mountPath: "/app/config"