feat: Create namespace and set it explicitly

2025-12-23 00:49:55 +01:00
parent 948473c171
commit b75561f589
6 changed files with 22 additions and 3 deletions
--- a/manifests/cluster-role-binding.yaml
+++ b/manifests/cluster-role-binding.yaml
@@ -2,6 +2,7 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: authelia-controller
+  namespace: authelia
 subjects:
  - kind: ServiceAccount
    name: authelia-controller
--- a/manifests/cluster-role.yaml
+++ b/manifests/cluster-role.yaml
@@ -2,6 +2,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: authelia-controller
+  namespace: authelia
 rules:
  - apiGroups:
      - authelia.huizinga.dev
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: authelia-controller
+  namespace: authelia
  labels:
    app: authelia-controller
    app.kubernetes.io/name: authelia-controller
@@ -18,12 +19,17 @@ spec:
        kubectl.kubernetes.io/default-container: authelia-controller
    spec:
      serviceAccountName: authelia-controller
-      securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: authelia-controller
          image: '{{ index .images "authelia-controller" }}'
          imagePullPolicy: IfNotPresent
-          securityContext: {}
          resources:
            limits:
              cpu: 200m
@@ -34,3 +40,9 @@ spec:
          env:
            - name: RUST_LOG
              value: info,authelia_controller=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
+  - ./namespace.yaml
  - ./crds.yaml
  - ./service-account.yaml
  - ./cluster-role.yaml
--- a/manifests/namespace.yaml
+++ b/manifests/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
--- a/manifests/service-account.yaml
+++ b/manifests/service-account.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: authelia-controller
+  namespace: authelia
  labels:
    app: authelia-controller
    app.kubernetes.io/name: authelia-controller