From 328d424d4ecb0439d3e9eca414874686ae8e2766 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 21 Aug 2024 00:40:26 -0500 Subject: [PATCH] more user/group changes --- .../qbittorrent/flood/app/helmrelease.yaml | 21 +++++++++++++++---- kubernetes/apps/qbittorrent/flood/ks.yaml | 2 -- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml b/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml index 74e75b45..5bf2cad3 100644 --- a/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml +++ b/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml @@ -29,10 +29,12 @@ spec: values: defaultPodOptions: securityContext: - runAsUser: 1000 - runAsGroup: 1001 # group 1001 is required for the flood container to run without errors. - fsGroup: 1001 - fsGroupChangePolicy: OnRootMismatch + fsGroup: 568 + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + seccompProfile: + type: RuntimeDefault controllers: flood: annotations: @@ -52,6 +54,17 @@ spec: cpu: 15m limits: memory: 512Mi + probes: + liveness: + enabled: true + readiness: + enabled: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true service: app: controller: *app diff --git a/kubernetes/apps/qbittorrent/flood/ks.yaml b/kubernetes/apps/qbittorrent/flood/ks.yaml index 6e773081..4d80a308 100644 --- a/kubernetes/apps/qbittorrent/flood/ks.yaml +++ b/kubernetes/apps/qbittorrent/flood/ks.yaml @@ -27,5 +27,3 @@ spec: substitute: APP: *app VOLSYNC_CAPACITY: 2Gi - APP_UID: "1000" - APP_GID: "1001"