Drop anything but CHOWN

2025-04-15 13:19:07 +00:00 · 2025-04-15 13:19:07 +00:00 · 3d5cff4b41
commit 3d5cff4b41
parent bc116542c8
13 changed files with 20 additions and 19 deletions
--- a/redxen/alloy/deployment.yml
+++ b/redxen/alloy/deployment.yml
@ -32,7 +32,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/gitea/deployment.yml
+++ b/redxen/gitea/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/grafana/deployment.yml
+++ b/redxen/grafana/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/haproxy/daemonset.yml
+++ b/redxen/haproxy/daemonset.yml
@ -15,10 +15,6 @@ spec:
      namespace: redxen
      labels:
        app: haproxy
-      annotations:
-        prometheus.io/scrape: 'true'
-        prometheus.io/path: '/metrics'
-        prometheus.io/port: '9100'
    spec:
      tolerations:
        - key: node-role.kubernetes.io/control-plane
--- a/redxen/homepage/deployment.yml
+++ b/redxen/homepage/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/kustomization.yaml
+++ b/redxen/kustomization.yaml
@ -8,7 +8,6 @@ resources:
  - haproxy/
  - homepage/
  - murmur/
-  - node_exporter/
  - postgresql/
  - redis/
  - registry/
--- a/redxen/loki/deployment.yml
+++ b/redxen/loki/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/node_exporter/daemonset.yml
+++ b/redxen/node_exporter/daemonset.yml
@ -15,10 +15,6 @@ spec:
      namespace: redxen
      labels:
        app: node-exporter
-      annotations:
-        prometheus.io/scrape: 'true'
-        prometheus.io/path: '/metrics'
-        prometheus.io/port: '9100'
    spec:
      # TODO: Figure out if node_exporter needs priviledged access
      securityContext:
--- a/redxen/nsd/deployment.yml
+++ b/redxen/nsd/deployment.yml
@ -38,7 +38,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/postgresql/deployment.yml
+++ b/redxen/postgresql/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/prometheus/deployment.yml
+++ b/redxen/prometheus/deployment.yml
@ -32,7 +32,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/redis/deployment.yml
+++ b/redxen/redis/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
--- a/redxen/registry/deployment.yml
+++ b/redxen/registry/deployment.yml
@ -31,7 +31,8 @@ spec:
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
-              drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
+              drop: ["ALL"]
+              add: ["CHOWN"]
            runAsUser: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false