Chris Farhood
9c70b82fb3
Instead of just skipping security checks, properly fix the issues: **Pod & Container Security Context:** - Add runAsUser: 1000 (non-root) - Add runAsGroup: 1000 - Add fsGroup: 1000 for volume permissions - Add seccompProfile: RuntimeDefault - Drop ALL capabilities (principle of least privilege) **Resource Management:** - Add ephemeral-storage requests (1Gi) and limits (2Gi) **Health Checks:** - Change thelounge liveness probe from TCP to HTTP - Reduces false positives and provides better health signals **Reduced Exceptions:** - Removed 6+ security check exceptions - Now only skip: image tags (intentional), read-only FS (apps need writes) - Removed Polaris runAsRootAllowed exemptions **Note:** If containers fail to start post-merge, may need to adjust UIDs or add specific capabilities. LinuxServer images may need tweaking. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
irc
Kubernetes manifests for IRC applications, deployed via Flux CD.
Applications
- The Lounge - Modern web IRC client
- ZNC - IRC bouncer
Deployment
This repository is deployed to Kubernetes using Flux CD with variable substitution. Configuration variables (e.g., hostnames) are provided via ConfigMaps at deployment time.
CI/CD
Automated validation and security scanning via Gitea Actions:
- YAML linting and Kustomize validation
- Kubernetes schema validation (kubeconform)
- Security scanning (Trivy, Checkov)
- Best practices analysis (kube-score, Polaris)