Instead of just skipping security checks, properly fix the issues:
**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)
**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)
**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals
**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions
**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Chris Farhood
9c70b82fb3