feat: add security to latest containers (#18)

* feat: add security to other containers

Signed-off-by: Ludovic Ortega <[email protected]>

charts/as212510-net/Chart.yaml

@@ -3,7 +3,7 @@ kubeVersion: ">=1.23.0-0"
 name: as212510-net
 description: as212510.net helm chart for Kubernetes
 type: application
-version: 0.5.0
+version: 0.5.1
 # image: ghcr.io/m0nsterrr/as212510.net
 appVersion: "3.0.0"
 maintainers:

charts/as212510-net/README.md

@@ -1,6 +1,6 @@
 # as212510-net
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square)
+![Version: 0.5.1](https://img.shields.io/badge/Version-0.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square)
 
 as212510.net helm chart for Kubernetes
 
@@ -62,6 +62,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `65532` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsGroup | int | `65532` |  |

charts/as212510-net/values.schema.json

@@ -134,6 +134,12 @@
                         }
                     }
                 },
+                "fsGroup": {
+                    "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                    "type": "string"
+                },
                 "privileged": {
                     "type": "boolean"
                 },

charts/as212510-net/values.yaml

@@ -44,6 +44,8 @@ securityContext:
   privileged: false
   runAsUser: 65532
   runAsGroup: 65532
+  fsGroup: 65532
+  fsGroupChangePolicy: OnRootMismatch
   seccompProfile:
     type: RuntimeDefault
 

charts/bazarr/Chart.yaml

@@ -3,8 +3,8 @@ kubeVersion: ">=1.23.0-0"
 name: bazarr
 description: bazarr helm chart for Kubernetes
 type: application
-version: 0.1.11
-# image: linuxserver/bazarr
+version: 0.2.0
+# image: ghcr.io/onedr0p/bazarr
 appVersion: "1.4.2"
 maintainers:
   - name: Ludovic Ortega

charts/bazarr/README.md

@@ -1,6 +1,6 @@
 # bazarr
 
-![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.2](https://img.shields.io/badge/AppVersion-1.4.2-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.2](https://img.shields.io/badge/AppVersion-1.4.2-informational?style=flat-square)
 
 bazarr helm chart for Kubernetes
 
@@ -46,8 +46,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add to the bazarr pods |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"lscr.io"` |  |
-| image.repository | string | `"linuxserver/bazarr"` |  |
+| image.registry | string | `"ghcr.io"` |  |
+| image.repository | string | `"onedr0p/bazarr"` |  |
 | image.sha | string | `""` |  |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
@@ -65,7 +65,16 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `65534` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
+| securityContext.privileged | bool | `false` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsGroup | int | `65534` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `65534` |  |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

charts/bazarr/values.schema.json

@@ -143,7 +143,52 @@
             "type": "object"
         },
         "securityContext": {
-            "type": "object"
+            "type": "object",
+            "properties": {
+                "allowPrivilegeEscalation": {
+                    "type": "boolean"
+                },
+                "capabilities": {
+                    "type": "object",
+                    "properties": {
+                        "drop": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    }
+                },
+                "fsGroup": {
+                    "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                    "type": "string"
+                },
+                "privileged": {
+                    "type": "boolean"
+                },
+                "readOnlyRootFilesystem": {
+                    "type": "boolean"
+                },
+                "runAsGroup": {
+                    "type": "integer"
+                },
+                "runAsNonRoot": {
+                    "type": "boolean"
+                },
+                "runAsUser": {
+                    "type": "integer"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
         },
         "service": {
             "type": "object",

charts/bazarr/values.yaml

@@ -1,8 +1,8 @@
 replicaCount: 1
 
 image:
-  registry: lscr.io
-  repository: linuxserver/bazarr
+  registry: ghcr.io
+  repository: onedr0p/bazarr
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion.
   tag: ""
@@ -38,12 +38,20 @@ podLabels: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  privileged: false
+  runAsUser: 65534
+  runAsGroup: 65534
+  fsGroup: 65534
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
 
 service:
   type: ClusterIP

charts/flaresolverr/Chart.yaml

@@ -3,9 +3,9 @@ kubeVersion: ">=1.23.0-0"
 name: flaresolverr
 description: flaresolverr helm chart for Kubernetes
 type: application
-version: 0.2.0
+version: 0.2.1
 # image: flaresolverr/flaresolverr
-appVersion: "v3.3.16"
+appVersion: "v3.3.17"
 maintainers:
   - name: Ludovic Ortega
     email: [email protected]

charts/flaresolverr/README.md

@@ -1,6 +1,6 @@
 # flaresolverr
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.3.16](https://img.shields.io/badge/AppVersion-v3.3.16-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.3.17](https://img.shields.io/badge/AppVersion-v3.3.17-informational?style=flat-square)
 
 flaresolverr helm chart for Kubernetes
 
@@ -66,6 +66,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `1000` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `false` |  |
 | securityContext.runAsGroup | int | `1000` |  |

charts/flaresolverr/templates/deployment.yaml

@@ -51,11 +51,11 @@ spec:
             {{- end }}
           livenessProbe:
             httpGet:
-              path: /
+              path: /health
               port: http
           readinessProbe:
             httpGet:
-              path: /
+              path: /health
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/flaresolverr/values.schema.json

@@ -153,6 +153,12 @@
                         }
                     }
                 },
+                "fsGroup": {
+                    "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                    "type": "string"
+                },
                 "privileged": {
                     "type": "boolean"
                 },

charts/flaresolverr/values.yaml

@@ -44,6 +44,8 @@ securityContext:
   privileged: false
   runAsUser: 1000
   runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
   seccompProfile:
     type: RuntimeDefault
 

charts/kea-exporter/Chart.yaml

@@ -3,7 +3,7 @@ kubeVersion: ">=1.23.0-0"
 name: kea-exporter
 description: kea-exporter helm chart for Kubernetes
 type: application
-version: 0.2.0
+version: 0.2.1
 # image: ghcr.io/mweinelt/kea-exporter
 appVersion: "v0.7.0"
 maintainers:

charts/kea-exporter/README.md

@@ -1,6 +1,6 @@
 # kea-exporter
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.0](https://img.shields.io/badge/AppVersion-v0.7.0-informational?style=flat-square)
 
 kea-exporter helm chart for Kubernetes
 
@@ -63,6 +63,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `1000` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsGroup | int | `1000` |  |

charts/kea-exporter/values.schema.json

@@ -142,6 +142,12 @@
                         }
                     }
                 },
+                "fsGroup": {
+                    "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                    "type": "string"
+                },
                 "privileged": {
                     "type": "boolean"
                 },

charts/kea-exporter/values.yaml

@@ -44,6 +44,8 @@ securityContext:
   privileged: false
   runAsUser: 1000
   runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
   seccompProfile:
     type: RuntimeDefault
 

charts/prometheus-pve-exporter/Chart.yaml

@@ -3,7 +3,7 @@ kubeVersion: ">=1.23.0-0"
 name: prometheus-pve-exporter
 description: prometheus-pve-exporter helm chart for Kubernetes
 type: application
-version: 0.2.0
+version: 0.2.1
 # image: prompve/prometheus-pve-exporter
 appVersion: "3.2.2"
 maintainers:

charts/prometheus-pve-exporter/README.md

@@ -1,6 +1,6 @@
 # prometheus-pve-exporter
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.2](https://img.shields.io/badge/AppVersion-3.2.2-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.2](https://img.shields.io/badge/AppVersion-3.2.2-informational?style=flat-square)
 
 prometheus-pve-exporter helm chart for Kubernetes
 
@@ -63,6 +63,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | resources | object | `{}` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `1000` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsGroup | int | `1000` |  |

charts/prometheus-pve-exporter/values.schema.json

@@ -142,6 +142,12 @@
                         }
                     }
                 },
+                "fsGroup": {
+                    "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                    "type": "string"
+                },
                 "privileged": {
                     "type": "boolean"
                 },

charts/prometheus-pve-exporter/values.yaml

@@ -44,6 +44,8 @@ securityContext:
   privileged: false
   runAsUser: 1000
   runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
   seccompProfile:
     type: RuntimeDefault
 

charts/prowlarr/Chart.yaml

@@ -3,8 +3,8 @@ kubeVersion: ">=1.23.0-0"
 name: prowlarr
 description: prowlarr helm chart for Kubernetes
 type: application
-version: 0.1.8
-# image: linuxserver/prowlarr
+version: 0.2.0
+# image: ghcr.io/onedr0p/prowlarr
 appVersion: "1.15.0"
 maintainers:
   - name: Ludovic Ortega

charts/prowlarr/README.md

@@ -1,6 +1,6 @@
 # prowlarr
 
-![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.0](https://img.shields.io/badge/AppVersion-1.15.0-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.0](https://img.shields.io/badge/AppVersion-1.15.0-informational?style=flat-square)
 
 prowlarr helm chart for Kubernetes
 
@@ -46,8 +46,8 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add to the prowlarr pods |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"lscr.io"` |  |
-| image.repository | string | `"linuxserver/prowlarr"` |  |
+| image.registry | string | `"ghcr.io"` |  |
+| image.repository | string | `"onedr0p/prowlarr"` |  |
 | image.sha | string | `""` |  |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
@@ -65,7 +65,16 @@ helm repo add adminafk https://helm-charts.adminafk.fr
 | podSecurityContext | object | `{}` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.fsGroup | int | `65534` |  |
+| securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
+| securityContext.privileged | bool | `false` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsGroup | int | `65534` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `65534` |  |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |