LinuxServer.io containers need to run init scripts with elevated
permissions before dropping to the specified PUID/PGID. Reverted to:
- Remove restrictive securityContext settings
- Use PUID/PGID environment variables (LinuxServer standard)
- Add Polaris exemptions for runAsRoot and runAsPrivileged
- Add Checkov exemption for high UID requirement
This fixes container startup issues introduced by security hardening.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Instead of just skipping security checks, properly fix the issues:
**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)
**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)
**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals
**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions
**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Chris Farhood