Chris Farhood
9c70b82fb3
Instead of just skipping security checks, properly fix the issues: **Pod & Container Security Context:** - Add runAsUser: 1000 (non-root) - Add runAsGroup: 1000 - Add fsGroup: 1000 for volume permissions - Add seccompProfile: RuntimeDefault - Drop ALL capabilities (principle of least privilege) **Resource Management:** - Add ephemeral-storage requests (1Gi) and limits (2Gi) **Health Checks:** - Change thelounge liveness probe from TCP to HTTP - Reduces false positives and provides better health signals **Reduced Exceptions:** - Removed 6+ security check exceptions - Now only skip: image tags (intentional), read-only FS (apps need writes) - Removed Polaris runAsRootAllowed exemptions **Note:** If containers fail to start post-merge, may need to adjust UIDs or add specific capabilities. LinuxServer images may need tweaking. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
11 lines
320 B
YAML
11 lines
320 B
YAML
soft-fail: false
|
|
quiet: true
|
|
compact: true
|
|
framework:
|
|
- all
|
|
skip-check:
|
|
- CKV_K8S_21 # Default namespace usage
|
|
- CKV_K8S_43 # Image tag validation (using latest tags intentionally)
|
|
- CKV_K8S_14 # Image tag should be fixed (same as above)
|
|
- CKV_K8S_22 # Read-only filesystem (IRC apps need to write to volumes)
|