search

martinohmann / home-ops

Wife approved HomeOps driven by Kubernetes and GitOps using Flux
MIT License
5 stars 0 forks source link

chore: harden pods in default namespace #1007

Closed martinohmann closed 1 month ago

martinohmann commented 1 month ago

Updates https://github.com/martinohmann/home-ops/issues/1003

github-actions[bot] commented 1 month ago

helmrelease changes in kubernetes/main

--- HelmRelease: default/kubernetes-schemas Deployment: default/kubernetes-schemas

+++ HelmRelease: default/kubernetes-schemas Deployment: default/kubernetes-schemas

@@ -26,14 +26,17 @@

         app.kubernetes.io/name: kubernetes-schemas
     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
       securityContext:
-        runAsGroup: 568
-        runAsUser: 568
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       topologySpreadConstraints:
       - labelSelector:
@@ -62,7 +65,13 @@

         resources:
           limits:
             memory: 64M
           requests:
             cpu: 5m
             memory: 10M
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true

--- HelmRelease: default/github-mirror CronJob: default/github-mirror

+++ HelmRelease: default/github-mirror CronJob: default/github-mirror

@@ -26,17 +26,15 @@

             app.kubernetes.io/name: github-mirror
         spec:
           enableServiceLinks: false
           serviceAccountName: default
           automountServiceAccountToken: true
           securityContext:
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-            runAsGroup: 568
+            runAsGroup: 65534
             runAsNonRoot: true
-            runAsUser: 568
+            runAsUser: 65534
             seccompProfile:
               type: RuntimeDefault
           hostIPC: false
           hostNetwork: false
           hostPID: false
           dnsPolicy: ClusterFirst
@@ -58,7 +56,13 @@

               value: scm_migrator=debug
             envFrom:
             - secretRef:
                 name: github-mirror
             image: ghcr.io/martinohmann/scm-migrator:latest@sha256:fd563f8358ab5144d3670caa5ae2a1edb58f1d986e854e2f67379467252ec2c5
             name: app
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true

--- HelmRelease: default/mosquitto Deployment: default/mosquitto

+++ HelmRelease: default/mosquitto Deployment: default/mosquitto

@@ -33,12 +33,14 @@

       securityContext:
         fsGroup: 568
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 568
         runAsNonRoot: true
         runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       initContainers:
       - args:
--- HelmRelease: default/homepage Deployment: default/homepage

+++ HelmRelease: default/homepage Deployment: default/homepage

@@ -29,12 +29,18 @@

         app.kubernetes.io/instance: homepage
         app.kubernetes.io/name: homepage
     spec:
       enableServiceLinks: false
       serviceAccountName: homepage
       automountServiceAccountToken: true
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - image: ghcr.io/gethomepage/homepage:v0.9.2
@@ -50,12 +56,23 @@

           failureThreshold: 3
           initialDelaySeconds: 0
           periodSeconds: 10
           tcpSocket:
             port: 3000
           timeoutSeconds: 1
+        resources:
+          limits:
+            memory: 256Mi
+          requests:
+            cpu: 10m
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /app/config/bookmarks.yaml
           name: config
           subPath: bookmarks.yaml
         - mountPath: /app/config/docker.yaml
           name: config
--- HelmRelease: default/jellyfin Deployment: default/jellyfin

+++ HelmRelease: default/jellyfin Deployment: default/jellyfin

@@ -29,13 +29,16 @@

       serviceAccountName: default
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 10000
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 10000
+        runAsNonRoot: true
         runAsUser: 10000
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - env:
@@ -64,12 +67,18 @@

         resources:
           limits:
             memory: 2Gi
           requests:
             cpu: 10m
             memory: 512Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         startupProbe:
           failureThreshold: 30
           httpGet:
             path: /health
             port: 8096
           initialDelaySeconds: 0
--- HelmRelease: default/go2rtc Deployment: default/go2rtc

+++ HelmRelease: default/go2rtc Deployment: default/go2rtc

@@ -27,22 +27,56 @@

         app.kubernetes.io/instance: go2rtc
         app.kubernetes.io/name: go2rtc
     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - image: ghcr.io/alexxit/go2rtc:1.9.4@sha256:61b8f04efe0f9025739ce0e5e5a5e0748b64c1e4bdb5ae707e9d0966150175e7
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 1984
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
         name: app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 1984
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 1
+        resources:
+          limits:
+            memory: 128Mi
+          requests:
+            cpu: 10m
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /config/go2rtc.yaml
           name: config
+          readOnly: true
           subPath: go2rtc.yaml
       volumes:
       - configMap:
           name: go2rtc
         name: config

--- HelmRelease: default/miniflux Deployment: default/miniflux

+++ HelmRelease: default/miniflux Deployment: default/miniflux

@@ -28,15 +28,17 @@

         app.kubernetes.io/name: miniflux
     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
       securityContext:
-        runAsGroup: 568
+        runAsGroup: 65534
         runAsNonRoot: true
-        runAsUser: 568
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       topologySpreadConstraints:
       - labelSelector:
--- HelmRelease: default/home-assistant Deployment: default/home-assistant

+++ HelmRelease: default/home-assistant Deployment: default/home-assistant

@@ -27,16 +27,18 @@

     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
       securityContext:
         fsGroup: 568
-        fsGroupChangePolicy: Always
+        fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 568
         runAsNonRoot: true
         runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - image: ghcr.io/onedr0p/home-assistant:2024.6.3@sha256:35b49d32f55365f7125f7050da3c40d81623ff6f9115863e57f58f8aaf4fcb30
@@ -73,12 +75,18 @@

         resources:
           limits:
             memory: 1Gi
           requests:
             cpu: 10m
             memory: 128Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /config
           name: config
         - mountPath: /tmp
           name: tmp
       volumes:
--- HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt

+++ HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt

@@ -33,12 +33,14 @@

       securityContext:
         fsGroup: 568
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 568
         runAsNonRoot: true
         runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - env:
--- HelmRelease: default/static-content-proxy Deployment: default/static-content-proxy

+++ HelmRelease: default/static-content-proxy Deployment: default/static-content-proxy

@@ -9,13 +9,13 @@

     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: static-content-proxy
   annotations:
     configmap.reloader.stakater.com/reload: static-content-proxy
 spec:
   revisionHistoryLimit: 3
-  replicas: 1
+  replicas: 2
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
       app.kubernetes.io/component: static-content-proxy
       app.kubernetes.io/name: static-content-proxy
@@ -27,16 +27,29 @@

         app.kubernetes.io/instance: static-content-proxy
         app.kubernetes.io/name: static-content-proxy
     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: static-content-proxy
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
       containers:
       - image: public.ecr.aws/nginx/nginx:1.27.0
         livenessProbe:
           failureThreshold: 3
           initialDelaySeconds: 0
           periodSeconds: 10
@@ -54,12 +67,18 @@

         resources:
           limits:
             memory: 64M
           requests:
             cpu: 5m
             memory: 10M
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/nginx/nginx.conf
           name: nginx-config
           readOnly: true
           subPath: nginx.conf
       volumes:
--- HelmRelease: default/smtp-relay Deployment: default/smtp-relay

+++ HelmRelease: default/smtp-relay Deployment: default/smtp-relay

@@ -28,15 +28,17 @@

         app.kubernetes.io/name: smtp-relay
     spec:
       enableServiceLinks: false
       serviceAccountName: default
       automountServiceAccountToken: true
       securityContext:
-        runAsGroup: 568
+        runAsGroup: 65534
         runAsNonRoot: true
-        runAsUser: 568
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       hostIPC: false
       hostNetwork: false
       hostPID: false
       dnsPolicy: ClusterFirst
       topologySpreadConstraints:
       - labelSelector:
github-actions[bot] commented 1 month ago

kustomization changes in kubernetes/main

--- kubernetes/main/apps/default/go2rtc/app Kustomization: flux-system/go2rtc HelmRelease: default/go2rtc

+++ kubernetes/main/apps/default/go2rtc/app Kustomization: flux-system/go2rtc HelmRelease: default/go2rtc

@@ -36,17 +36,51 @@

           app:
             image:
               repository: ghcr.io/alexxit/go2rtc
               tag: 1.9.4@sha256:61b8f04efe0f9025739ce0e5e5a5e0748b64c1e4bdb5ae707e9d0966150175e7
             probes:
               liveness:
-                enabled: false
+                custom: true
+                enabled: true
+                spec:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /
+                    port: 1984
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
               readiness:
-                enabled: false
-              startup:
-                enabled: false
+                custom: true
+                enabled: true
+                spec:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /
+                    port: 1984
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+            resources:
+              limits:
+                memory: 128Mi
+              requests:
+                cpu: 10m
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+    defaultPodOptions:
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
     ingress:
       app:
         annotations:
           gethomepage.dev/enabled: 'false'
         className: internal
         enabled: true
@@ -63,12 +97,13 @@

     persistence:
       config:
         advancedMounts:
           go2rtc:
             app:
             - path: /config/go2rtc.yaml
+              readOnly: true
               subPath: go2rtc.yaml
         name: go2rtc
         type: configMap
     service:
       app:
         annotations:
--- kubernetes/main/apps/default/github-mirror/app Kustomization: flux-system/github-mirror HelmRelease: default/github-mirror

+++ kubernetes/main/apps/default/github-mirror/app Kustomization: flux-system/github-mirror HelmRelease: default/github-mirror

@@ -51,24 +51,28 @@

             envFrom:
             - secretRef:
                 name: github-mirror
             image:
               repository: ghcr.io/martinohmann/scm-migrator
               tag: latest@sha256:fd563f8358ab5144d3670caa5ae2a1edb58f1d986e854e2f67379467252ec2c5
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
         cronjob:
           backoffLimit: 6
           concurrencyPolicy: Forbid
           failedJobsHistory: 1
           schedule: 01 23 * * 4
           successfulJobsHistory: 1
           suspend: false
         type: cronjob
     defaultPodOptions:
       securityContext:
-        fsGroup: 568
-        fsGroupChangePolicy: OnRootMismatch
-        runAsGroup: 568
+        runAsGroup: 65534
         runAsNonRoot: true
-        runAsUser: 568
+        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault

--- kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage HelmRelease: default/homepage

+++ kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage HelmRelease: default/homepage

@@ -41,13 +41,31 @@

               tag: v0.9.2
             probes:
               liveness:
                 enabled: true
               readiness:
                 enabled: true
+            resources:
+              limits:
+                memory: 256Mi
+              requests:
+                cpu: 10m
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
         strategy: RollingUpdate
+    defaultPodOptions:
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
     ingress:
       app:
         annotations:
           nginx.ingress.kubernetes.io/configuration-snippet: |
             if ($host = 'www.18b.haus' ) {
               rewrite ^ https://18b.haus$request_uri permanent;
--- kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant

+++ kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant

@@ -69,19 +69,27 @@

             resources:
               limits:
                 memory: 1Gi
               requests:
                 cpu: 10m
                 memory: 128Mi
-        pod:
-          securityContext:
-            fsGroup: 568
-            fsGroupChangePolicy: Always
-            runAsGroup: 568
-            runAsNonRoot: true
-            runAsUser: 568
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+    defaultPodOptions:
+      securityContext:
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 568
+        runAsNonRoot: true
+        runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
     ingress:
       app:
         annotations:
           gethomepage.dev/enabled: 'true'
           gethomepage.dev/group: Automation
           gethomepage.dev/icon: home-assistant.png
--- kubernetes/main/apps/default/kubernetes-schemas/app Kustomization: flux-system/kubernetes-schemas HelmRelease: default/kubernetes-schemas

+++ kubernetes/main/apps/default/kubernetes-schemas/app Kustomization: flux-system/kubernetes-schemas HelmRelease: default/kubernetes-schemas

@@ -45,25 +45,34 @@

             resources:
               limits:
                 memory: 64M
               requests:
                 cpu: 5m
                 memory: 10M
-        pod:
-          securityContext:
-            runAsGroup: 568
-            runAsUser: 568
-          topologySpreadConstraints:
-          - labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: kubernetes-schemas
-            maxSkew: 1
-            topologyKey: kubernetes.io/hostname
-            whenUnsatisfiable: DoNotSchedule
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
         replicas: 2
         strategy: RollingUpdate
+    defaultPodOptions:
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: kubernetes-schemas
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
     ingress:
       app:
         annotations:
           external-dns.alpha.kubernetes.io/target: external.18b.haus
           nginx.ingress.kubernetes.io/server-snippet: |
             # Disable nginx welcome page.
--- kubernetes/main/apps/default/jellyfin/app Kustomization: flux-system/jellyfin HelmRelease: default/jellyfin

+++ kubernetes/main/apps/default/jellyfin/app Kustomization: flux-system/jellyfin HelmRelease: default/jellyfin

@@ -81,18 +81,27 @@

             resources:
               limits:
                 memory: 2Gi
               requests:
                 cpu: 10m
                 memory: 512Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
     defaultPodOptions:
       securityContext:
         fsGroup: 10000
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 10000
+        runAsNonRoot: true
         runAsUser: 10000
+        seccompProfile:
+          type: RuntimeDefault
     ingress:
       app:
         annotations:
           gethomepage.dev/enabled: 'true'
           gethomepage.dev/group: Media
           gethomepage.dev/icon: jellyfin.png
--- kubernetes/main/apps/default/mosquitto/app Kustomization: flux-system/mosquitto HelmRelease: default/mosquitto

+++ kubernetes/main/apps/default/mosquitto/app Kustomization: flux-system/mosquitto HelmRelease: default/mosquitto

@@ -65,19 +65,21 @@

             command:
             - /bin/sh
             - -c
             image:
               repository: docker.io/library/eclipse-mosquitto
               tag: 2.0.18@sha256:cb3afd02611b0c58b328196ab00de0158322b4c1e014841fb182d2a0ea3a79b9
-        pod:
-          securityContext:
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-            runAsGroup: 568
-            runAsNonRoot: true
-            runAsUser: 568
+    defaultPodOptions:
+      securityContext:
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 568
+        runAsNonRoot: true
+        runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
     persistence:
       config:
         enabled: true
         existingClaim: mosquitto
         globalMounts:
         - path: /data
--- kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay

+++ kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay

@@ -57,26 +57,28 @@

             securityContext:
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
                 - ALL
               readOnlyRootFilesystem: true
-        pod:
-          securityContext:
-            runAsGroup: 568
-            runAsNonRoot: true
-            runAsUser: 568
-          topologySpreadConstraints:
-          - labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: smtp-relay
-            maxSkew: 1
-            topologyKey: kubernetes.io/hostname
-            whenUnsatisfiable: DoNotSchedule
         replicas: 2
         strategy: RollingUpdate
+    defaultPodOptions:
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: smtp-relay
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
     persistence:
       cache:
         globalMounts:
         - path: /cache
         type: emptyDir
       config:
--- kubernetes/main/apps/default/static-content-proxy/app Kustomization: flux-system/static-content-proxy HelmRelease: default/static-content-proxy

+++ kubernetes/main/apps/default/static-content-proxy/app Kustomization: flux-system/static-content-proxy HelmRelease: default/static-content-proxy

@@ -47,13 +47,34 @@

             resources:
               limits:
                 memory: 64M
               requests:
                 cpu: 5m
                 memory: 10M
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+        replicas: 2
         strategy: RollingUpdate
+    defaultPodOptions:
+      securityContext:
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: static-content-proxy
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
     ingress:
       app:
         annotations:
           external-dns.alpha.kubernetes.io/target: external.18b.haus
         className: external
         enabled: true
--- kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt

+++ kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt

@@ -113,19 +113,21 @@

             securityContext:
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
                 - ALL
               readOnlyRootFilesystem: true
-        pod:
-          securityContext:
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-            runAsGroup: 568
-            runAsNonRoot: true
-            runAsUser: 568
+    defaultPodOptions:
+      securityContext:
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 568
+        runAsNonRoot: true
+        runAsUser: 568
+        seccompProfile:
+          type: RuntimeDefault
     ingress:
       app:
         annotations:
           gethomepage.dev/enabled: 'true'
           gethomepage.dev/group: Automation
           gethomepage.dev/icon: zigbee2mqtt.png
--- kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux

+++ kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux

@@ -98,15 +98,17 @@

               repository: ghcr.io/onedr0p/postgres-init
               tag: 16.3@sha256:8ba3204f6b293dd168766009aae2ce4fa986a29b931c2d30ac1b30238ac750b8
         replicas: 2
         strategy: RollingUpdate
     defaultPodOptions:
       securityContext:
-        runAsGroup: 568
+        runAsGroup: 65534
         runAsNonRoot: true
-        runAsUser: 568
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:
             app.kubernetes.io/name: miniflux
         maxSkew: 1
         topologyKey: kubernetes.io/hostname