From 54c84df28e293638f952fe86a5615a42db7ea0a5 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 17 Feb 2024 09:33:57 -0600 Subject: [PATCH] Move qb to its own namespace for NET_ADMIN. --- kubernetes/apps/qbittorrent/kustomization.yaml | 7 +++++++ kubernetes/apps/qbittorrent/namespace.yaml | 7 +++++++ .../qbittorrent/app/externalsecret.yaml | 1 + .../qbittorrent/app/helmrelease.yaml | 2 ++ .../qbittorrent/app/kustomization.yaml | 0 .../apps/{default => qbittorrent}/qbittorrent/ks.yaml | 4 ++-- 6 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 kubernetes/apps/qbittorrent/kustomization.yaml create mode 100644 kubernetes/apps/qbittorrent/namespace.yaml rename kubernetes/apps/{default => qbittorrent}/qbittorrent/app/externalsecret.yaml (97%) rename kubernetes/apps/{default => qbittorrent}/qbittorrent/app/helmrelease.yaml (98%) rename kubernetes/apps/{default => qbittorrent}/qbittorrent/app/kustomization.yaml (100%) rename kubernetes/apps/{default => qbittorrent}/qbittorrent/ks.yaml (93%) diff --git a/kubernetes/apps/qbittorrent/kustomization.yaml b/kubernetes/apps/qbittorrent/kustomization.yaml new file mode 100644 index 00000000..0b10b0fe --- /dev/null +++ b/kubernetes/apps/qbittorrent/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Flux-Kustomizations + - ./qbittorrent/ks.yaml diff --git a/kubernetes/apps/qbittorrent/namespace.yaml b/kubernetes/apps/qbittorrent/namespace.yaml new file mode 100644 index 00000000..2bee302d --- /dev/null +++ b/kubernetes/apps/qbittorrent/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: qbittorrent + labels: + kustomize.toolkit.fluxcd.io/prune: disabled \ No newline at end of file diff --git a/kubernetes/apps/default/qbittorrent/app/externalsecret.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml similarity index 97% rename from kubernetes/apps/default/qbittorrent/app/externalsecret.yaml rename to kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml index ce845c5b..ebd5d0a1 100644 --- a/kubernetes/apps/default/qbittorrent/app/externalsecret.yaml +++ b/kubernetes/apps/qbittorrent/qbittorrent/app/externalsecret.yaml @@ -4,6 +4,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: qbittorrent + namespace: qbittorrent spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml similarity index 98% rename from kubernetes/apps/default/qbittorrent/app/helmrelease.yaml rename to kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml index 5eebdc07..bd75ff85 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml @@ -77,6 +77,8 @@ spec: name: qbittorrent-secret securityContext: capabilities: + drop: + - ALL add: - NET_ADMIN allowPrivilegeEscalation: false diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/qbittorrent/qbittorrent/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/qbittorrent/app/kustomization.yaml rename to kubernetes/apps/qbittorrent/qbittorrent/app/kustomization.yaml diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/qbittorrent/qbittorrent/ks.yaml similarity index 93% rename from kubernetes/apps/default/qbittorrent/ks.yaml rename to kubernetes/apps/qbittorrent/qbittorrent/ks.yaml index 5a3bba6c..764f932c 100644 --- a/kubernetes/apps/default/qbittorrent/ks.yaml +++ b/kubernetes/apps/qbittorrent/qbittorrent/ks.yaml @@ -6,12 +6,12 @@ metadata: name: &app qbittorrent namespace: flux-system spec: - targetNamespace: default + targetNamespace: qbittorrent commonMetadata: labels: app.kubernetes.io/name: *app interval: 10m - path: "./kubernetes/apps/default/qbittorrent/app" + path: "./kubernetes/apps/qbittorrent/qbittorrent/app" prune: true sourceRef: kind: GitRepository