Closed martinohmann closed 1 month ago
helmrelease
changes in kubernetes/main
--- HelmRelease: default/kubernetes-schemas Deployment: default/kubernetes-schemas
+++ HelmRelease: default/kubernetes-schemas Deployment: default/kubernetes-schemas
@@ -26,14 +26,17 @@
app.kubernetes.io/name: kubernetes-schemas
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
- runAsUser: 568
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
@@ -62,7 +65,13 @@
resources:
limits:
memory: 64M
requests:
cpu: 5m
memory: 10M
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
--- HelmRelease: default/github-mirror CronJob: default/github-mirror
+++ HelmRelease: default/github-mirror CronJob: default/github-mirror
@@ -26,17 +26,15 @@
app.kubernetes.io/name: github-mirror
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
seccompProfile:
type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
@@ -58,7 +56,13 @@
value: scm_migrator=debug
envFrom:
- secretRef:
name: github-mirror
image: ghcr.io/martinohmann/scm-migrator:latest@sha256:fd563f8358ab5144d3670caa5ae2a1edb58f1d986e854e2f67379467252ec2c5
name: app
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
--- HelmRelease: default/mosquitto Deployment: default/mosquitto
+++ HelmRelease: default/mosquitto Deployment: default/mosquitto
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
initContainers:
- args:
--- HelmRelease: default/homepage Deployment: default/homepage
+++ HelmRelease: default/homepage Deployment: default/homepage
@@ -29,12 +29,18 @@
app.kubernetes.io/instance: homepage
app.kubernetes.io/name: homepage
spec:
enableServiceLinks: false
serviceAccountName: homepage
automountServiceAccountToken: true
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- image: ghcr.io/gethomepage/homepage:v0.9.2
@@ -50,12 +56,23 @@
failureThreshold: 3
initialDelaySeconds: 0
periodSeconds: 10
tcpSocket:
port: 3000
timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /app/config/bookmarks.yaml
name: config
subPath: bookmarks.yaml
- mountPath: /app/config/docker.yaml
name: config
--- HelmRelease: default/jellyfin Deployment: default/jellyfin
+++ HelmRelease: default/jellyfin Deployment: default/jellyfin
@@ -29,13 +29,16 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 10000
+ runAsNonRoot: true
runAsUser: 10000
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
@@ -64,12 +67,18 @@
resources:
limits:
memory: 2Gi
requests:
cpu: 10m
memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
httpGet:
path: /health
port: 8096
initialDelaySeconds: 0
--- HelmRelease: default/go2rtc Deployment: default/go2rtc
+++ HelmRelease: default/go2rtc Deployment: default/go2rtc
@@ -27,22 +27,56 @@
app.kubernetes.io/instance: go2rtc
app.kubernetes.io/name: go2rtc
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- image: ghcr.io/alexxit/go2rtc:1.9.4@sha256:61b8f04efe0f9025739ce0e5e5a5e0748b64c1e4bdb5ae707e9d0966150175e7
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /
+ port: 1984
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
name: app
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /
+ port: 1984
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /config/go2rtc.yaml
name: config
+ readOnly: true
subPath: go2rtc.yaml
volumes:
- configMap:
name: go2rtc
name: config
--- HelmRelease: default/miniflux Deployment: default/miniflux
+++ HelmRelease: default/miniflux Deployment: default/miniflux
@@ -28,15 +28,17 @@
app.kubernetes.io/name: miniflux
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: default/home-assistant Deployment: default/home-assistant
+++ HelmRelease: default/home-assistant Deployment: default/home-assistant
@@ -27,16 +27,18 @@
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
fsGroup: 568
- fsGroupChangePolicy: Always
+ fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- image: ghcr.io/onedr0p/home-assistant:2024.6.3@sha256:35b49d32f55365f7125f7050da3c40d81623ff6f9115863e57f58f8aaf4fcb30
@@ -73,12 +75,18 @@
resources:
limits:
memory: 1Gi
requests:
cpu: 10m
memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /config
name: config
- mountPath: /tmp
name: tmp
volumes:
--- HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt
+++ HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: default/static-content-proxy Deployment: default/static-content-proxy
+++ HelmRelease: default/static-content-proxy Deployment: default/static-content-proxy
@@ -9,13 +9,13 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: static-content-proxy
annotations:
configmap.reloader.stakater.com/reload: static-content-proxy
spec:
revisionHistoryLimit: 3
- replicas: 1
+ replicas: 2
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/component: static-content-proxy
app.kubernetes.io/name: static-content-proxy
@@ -27,16 +27,29 @@
app.kubernetes.io/instance: static-content-proxy
app.kubernetes.io/name: static-content-proxy
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: static-content-proxy
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
containers:
- image: public.ecr.aws/nginx/nginx:1.27.0
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 0
periodSeconds: 10
@@ -54,12 +67,18 @@
resources:
limits:
memory: 64M
requests:
cpu: 5m
memory: 10M
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/nginx/nginx.conf
name: nginx-config
readOnly: true
subPath: nginx.conf
volumes:
--- HelmRelease: default/smtp-relay Deployment: default/smtp-relay
+++ HelmRelease: default/smtp-relay Deployment: default/smtp-relay
@@ -28,15 +28,17 @@
app.kubernetes.io/name: smtp-relay
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
kustomization
changes in kubernetes/main
--- kubernetes/main/apps/default/go2rtc/app Kustomization: flux-system/go2rtc HelmRelease: default/go2rtc
+++ kubernetes/main/apps/default/go2rtc/app Kustomization: flux-system/go2rtc HelmRelease: default/go2rtc
@@ -36,17 +36,51 @@
app:
image:
repository: ghcr.io/alexxit/go2rtc
tag: 1.9.4@sha256:61b8f04efe0f9025739ce0e5e5a5e0748b64c1e4bdb5ae707e9d0966150175e7
probes:
liveness:
- enabled: false
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /
+ port: 1984
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
readiness:
- enabled: false
- startup:
- enabled: false
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /
+ port: 1984
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
gethomepage.dev/enabled: 'false'
className: internal
enabled: true
@@ -63,12 +97,13 @@
persistence:
config:
advancedMounts:
go2rtc:
app:
- path: /config/go2rtc.yaml
+ readOnly: true
subPath: go2rtc.yaml
name: go2rtc
type: configMap
service:
app:
annotations:
--- kubernetes/main/apps/default/github-mirror/app Kustomization: flux-system/github-mirror HelmRelease: default/github-mirror
+++ kubernetes/main/apps/default/github-mirror/app Kustomization: flux-system/github-mirror HelmRelease: default/github-mirror
@@ -51,24 +51,28 @@
envFrom:
- secretRef:
name: github-mirror
image:
repository: ghcr.io/martinohmann/scm-migrator
tag: latest@sha256:fd563f8358ab5144d3670caa5ae2a1edb58f1d986e854e2f67379467252ec2c5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
cronjob:
backoffLimit: 6
concurrencyPolicy: Forbid
failedJobsHistory: 1
schedule: 01 23 * * 4
successfulJobsHistory: 1
suspend: false
type: cronjob
defaultPodOptions:
securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
seccompProfile:
type: RuntimeDefault
--- kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage HelmRelease: default/homepage
+++ kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage HelmRelease: default/homepage
@@ -41,13 +41,31 @@
tag: v0.9.2
probes:
liveness:
enabled: true
readiness:
enabled: true
+ resources:
+ limits:
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($host = 'www.18b.haus' ) {
rewrite ^ https://18b.haus$request_uri permanent;
--- kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant
+++ kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant
@@ -69,19 +69,27 @@
resources:
limits:
memory: 1Gi
requests:
cpu: 10m
memory: 128Mi
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: Always
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
gethomepage.dev/enabled: 'true'
gethomepage.dev/group: Automation
gethomepage.dev/icon: home-assistant.png
--- kubernetes/main/apps/default/kubernetes-schemas/app Kustomization: flux-system/kubernetes-schemas HelmRelease: default/kubernetes-schemas
+++ kubernetes/main/apps/default/kubernetes-schemas/app Kustomization: flux-system/kubernetes-schemas HelmRelease: default/kubernetes-schemas
@@ -45,25 +45,34 @@
resources:
limits:
memory: 64M
requests:
cpu: 5m
memory: 10M
- pod:
- securityContext:
- runAsGroup: 568
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: kubernetes-schemas
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
replicas: 2
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: kubernetes-schemas
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.18b.haus
nginx.ingress.kubernetes.io/server-snippet: |
# Disable nginx welcome page.
--- kubernetes/main/apps/default/jellyfin/app Kustomization: flux-system/jellyfin HelmRelease: default/jellyfin
+++ kubernetes/main/apps/default/jellyfin/app Kustomization: flux-system/jellyfin HelmRelease: default/jellyfin
@@ -81,18 +81,27 @@
resources:
limits:
memory: 2Gi
requests:
cpu: 10m
memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
defaultPodOptions:
securityContext:
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 10000
+ runAsNonRoot: true
runAsUser: 10000
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
gethomepage.dev/enabled: 'true'
gethomepage.dev/group: Media
gethomepage.dev/icon: jellyfin.png
--- kubernetes/main/apps/default/mosquitto/app Kustomization: flux-system/mosquitto HelmRelease: default/mosquitto
+++ kubernetes/main/apps/default/mosquitto/app Kustomization: flux-system/mosquitto HelmRelease: default/mosquitto
@@ -65,19 +65,21 @@
command:
- /bin/sh
- -c
image:
repository: docker.io/library/eclipse-mosquitto
tag: 2.0.18@sha256:cb3afd02611b0c58b328196ab00de0158322b4c1e014841fb182d2a0ea3a79b9
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
persistence:
config:
enabled: true
existingClaim: mosquitto
globalMounts:
- path: /data
--- kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay
+++ kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay
@@ -57,26 +57,28 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: smtp-relay
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 2
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: smtp-relay
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
cache:
globalMounts:
- path: /cache
type: emptyDir
config:
--- kubernetes/main/apps/default/static-content-proxy/app Kustomization: flux-system/static-content-proxy HelmRelease: default/static-content-proxy
+++ kubernetes/main/apps/default/static-content-proxy/app Kustomization: flux-system/static-content-proxy HelmRelease: default/static-content-proxy
@@ -47,13 +47,34 @@
resources:
limits:
memory: 64M
requests:
cpu: 5m
memory: 10M
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ replicas: 2
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: static-content-proxy
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.18b.haus
className: external
enabled: true
--- kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt
+++ kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt
@@ -113,19 +113,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
gethomepage.dev/enabled: 'true'
gethomepage.dev/group: Automation
gethomepage.dev/icon: zigbee2mqtt.png
--- kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux
+++ kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux
@@ -98,15 +98,17 @@
repository: ghcr.io/onedr0p/postgres-init
tag: 16.3@sha256:8ba3204f6b293dd168766009aae2ce4fa986a29b931c2d30ac1b30238ac750b8
replicas: 2
strategy: RollingUpdate
defaultPodOptions:
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: miniflux
maxSkew: 1
topologyKey: kubernetes.io/hostname
Updates https://github.com/martinohmann/home-ops/issues/1003