fix: revert ZNC security hardening for LinuxServer container
LinuxServer.io containers need to run init scripts with elevated permissions before dropping to the specified PUID/PGID. Reverted to: - Remove restrictive securityContext settings - Use PUID/PGID environment variables (LinuxServer standard) - Add Polaris exemptions for runAsRoot and runAsPrivileged - Add Checkov exemption for high UID requirement This fixes container startup issues introduced by security hardening. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
+5
-4
@@ -4,7 +4,8 @@ compact: true
|
|||||||
framework:
|
framework:
|
||||||
- all
|
- all
|
||||||
skip-check:
|
skip-check:
|
||||||
- CKV_K8S_21 # Default namespace usage
|
- CKV_K8S_21 # Default namespace usage
|
||||||
- CKV_K8S_43 # Image tag validation (using latest tags intentionally)
|
- CKV_K8S_43 # Image tag validation (using latest tags intentionally)
|
||||||
- CKV_K8S_14 # Image tag should be fixed (same as above)
|
- CKV_K8S_14 # Image tag should be fixed (same as above)
|
||||||
- CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
|
- CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
|
||||||
|
- CKV_K8S_40 # Containers should run as high UID (ZNC LinuxServer container needs flexibility)
|
||||||
|
|||||||
+7
-18
@@ -8,6 +8,8 @@ metadata:
|
|||||||
annotations:
|
annotations:
|
||||||
polaris.fairwinds.com/tagNotSpecified-exempt: "true"
|
polaris.fairwinds.com/tagNotSpecified-exempt: "true"
|
||||||
polaris.fairwinds.com/topologySpreadConstraint-exempt: "true"
|
polaris.fairwinds.com/topologySpreadConstraint-exempt: "true"
|
||||||
|
polaris.fairwinds.com/runAsRootAllowed-exempt: "true"
|
||||||
|
polaris.fairwinds.com/runAsPrivileged-exempt: "true"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
@@ -22,32 +24,19 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
priorityClassName: low-priority
|
priorityClassName: low-priority
|
||||||
automountServiceAccountToken: false
|
automountServiceAccountToken: false
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 1000
|
|
||||||
runAsGroup: 1000
|
|
||||||
fsGroup: 1000
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
containers:
|
containers:
|
||||||
- name: znc
|
- name: znc
|
||||||
image: lscr.io/linuxserver/znc:latest
|
image: lscr.io/linuxserver/znc:latest
|
||||||
|
env:
|
||||||
|
- name: PUID
|
||||||
|
value: "1000"
|
||||||
|
- name: PGID
|
||||||
|
value: "1000"
|
||||||
|
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 6501
|
- containerPort: 6501
|
||||||
name: irc-6501
|
name: irc-6501
|
||||||
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 1000
|
|
||||||
runAsGroup: 1000
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: "/app/config"
|
mountPath: "/app/config"
|
||||||
|
|||||||
Reference in New Issue
Block a user