From 7955255e9b854c7f019d06db5d4e79b193b4e683 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Thu, 1 Jun 2023 23:21:04 -0400 Subject: [PATCH] add security contexts to download ns --- cluster/apps/download/bazarr/helm-release.yaml | 12 ++++++++++++ cluster/apps/download/mylar3/helm-release.yaml | 12 ++++++++++++ cluster/apps/download/prowlarr/helm-release.yaml | 7 +++++++ cluster/apps/download/qbittorrent/helm-release.yaml | 13 +++++++++++++ cluster/apps/download/radarr/helm-release.yaml | 7 +++++++ cluster/apps/download/readarr/audiobook-helm.yaml | 7 +++++++ cluster/apps/download/sonarr/helm-release.yaml | 7 +++++++ cluster/apps/download/unpackerr/helm-release.yaml | 7 +++++++ 8 files changed, 72 insertions(+) diff --git a/cluster/apps/download/bazarr/helm-release.yaml b/cluster/apps/download/bazarr/helm-release.yaml index bd9ff94..139291f 100644 --- a/cluster/apps/download/bazarr/helm-release.yaml +++ b/cluster/apps/download/bazarr/helm-release.yaml @@ -18,16 +18,20 @@ spec: image: repository: lscr.io/linuxserver/bazarr tag: latest + env: TZ: America/New_York + service: main: ports: http: port: 6767 + probes: liveness: enabled: false + ingress: main: enabled: true @@ -44,6 +48,7 @@ spec: - hosts: - *host secretName: wildcard-main-tls + persistence: config: enabled: true @@ -51,6 +56,13 @@ spec: hostPath: /mnt/MainPool/Kubernetes/bazarr mountPath: /config + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 5m diff --git a/cluster/apps/download/mylar3/helm-release.yaml b/cluster/apps/download/mylar3/helm-release.yaml index 262d289..9d1f7b7 100644 --- a/cluster/apps/download/mylar3/helm-release.yaml +++ b/cluster/apps/download/mylar3/helm-release.yaml @@ -18,20 +18,24 @@ spec: image: repository: lscr.io/linuxserver/mylar3 tag: latest + env: TZ: America/New_York PGID: "1000" PUID: "1000" + service: main: ports: http: port: 8090 + probes: liveness: enabled: false startup: enabled: false + ingress: main: enabled: true @@ -48,6 +52,7 @@ spec: - hosts: - *host secretName: wildcard-main-tls + persistence: config: enabled: true @@ -60,6 +65,13 @@ spec: hostPath: /mnt/MainPool/Media mountPath: /storage + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 1m diff --git a/cluster/apps/download/prowlarr/helm-release.yaml b/cluster/apps/download/prowlarr/helm-release.yaml index 249d1f9..3edb778 100644 --- a/cluster/apps/download/prowlarr/helm-release.yaml +++ b/cluster/apps/download/prowlarr/helm-release.yaml @@ -100,6 +100,13 @@ spec: hostPath: /mnt/MainPool/Kubernetes/prowlarr mountPath: /config + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 2m diff --git a/cluster/apps/download/qbittorrent/helm-release.yaml b/cluster/apps/download/qbittorrent/helm-release.yaml index 403007f..571e790 100644 --- a/cluster/apps/download/qbittorrent/helm-release.yaml +++ b/cluster/apps/download/qbittorrent/helm-release.yaml @@ -36,6 +36,12 @@ spec: add: - NET_ADMIN + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + metrics: image: caseyscarborough/qbittorrent-exporter:latest env: @@ -94,6 +100,13 @@ spec: hostPath: /mnt/MainPool/Kubernetes/qbittorrent mountPath: /config + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + # resources: # requests: # cpu: 2m diff --git a/cluster/apps/download/radarr/helm-release.yaml b/cluster/apps/download/radarr/helm-release.yaml index 83ced94..d1cdc36 100644 --- a/cluster/apps/download/radarr/helm-release.yaml +++ b/cluster/apps/download/radarr/helm-release.yaml @@ -107,6 +107,13 @@ spec: hostPath: /mnt/MainPool/Media mountPath: /storage + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 1m diff --git a/cluster/apps/download/readarr/audiobook-helm.yaml b/cluster/apps/download/readarr/audiobook-helm.yaml index d1f5cb8..b7de5b8 100644 --- a/cluster/apps/download/readarr/audiobook-helm.yaml +++ b/cluster/apps/download/readarr/audiobook-helm.yaml @@ -105,6 +105,13 @@ spec: hostPath: /mnt/MainPool/Media mountPath: /storage + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 1m diff --git a/cluster/apps/download/sonarr/helm-release.yaml b/cluster/apps/download/sonarr/helm-release.yaml index 4f0acfa..6b1c546 100644 --- a/cluster/apps/download/sonarr/helm-release.yaml +++ b/cluster/apps/download/sonarr/helm-release.yaml @@ -107,6 +107,13 @@ spec: hostPath: /mnt/MainPool/Media mountPath: /storage + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 2m diff --git a/cluster/apps/download/unpackerr/helm-release.yaml b/cluster/apps/download/unpackerr/helm-release.yaml index e1065ce..75acec8 100644 --- a/cluster/apps/download/unpackerr/helm-release.yaml +++ b/cluster/apps/download/unpackerr/helm-release.yaml @@ -48,6 +48,13 @@ spec: hostPath: /mnt/MainPool/Media mountPath: /storage + podSecurityContext: + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch + resources: requests: cpu: 2m