From eed5b44916c996a0961443e945f36f6763568fa0 Mon Sep 17 00:00:00 2001 From: Dreaded_X Date: Tue, 23 Dec 2025 00:49:55 +0100 Subject: [PATCH] feat: Create namespace and set it explicitly --- manifests/cluster-role-binding.yaml | 2 ++ manifests/cluster-role.yaml | 1 + manifests/deployment.yaml | 16 ++++++++++++++-- manifests/kustomization.yaml | 2 +- manifests/namespace.yaml | 4 ++++ manifests/service-account.yaml | 1 + 6 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 manifests/namespace.yaml diff --git a/manifests/cluster-role-binding.yaml b/manifests/cluster-role-binding.yaml index 6cc8b54..334c69d 100644 --- a/manifests/cluster-role-binding.yaml +++ b/manifests/cluster-role-binding.yaml @@ -2,9 +2,11 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: authelia-controller + namespace: authelia subjects: - kind: ServiceAccount name: authelia-controller + namespace: authelia roleRef: kind: ClusterRole name: authelia-controller diff --git a/manifests/cluster-role.yaml b/manifests/cluster-role.yaml index b88f03c..adbdb23 100644 --- a/manifests/cluster-role.yaml +++ b/manifests/cluster-role.yaml @@ -2,6 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: authelia-controller + namespace: authelia rules: - apiGroups: - authelia.huizinga.dev diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index 7f7fb27..1f38c3d 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: authelia-controller + namespace: authelia labels: app: authelia-controller app.kubernetes.io/name: authelia-controller @@ -18,12 +19,17 @@ spec: kubectl.kubernetes.io/default-container: authelia-controller spec: serviceAccountName: authelia-controller - securityContext: {} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: authelia-controller image: '{{ index .images "authelia-controller" }}' imagePullPolicy: IfNotPresent - securityContext: {} resources: limits: cpu: 200m @@ -34,3 +40,9 @@ spec: env: - name: RUST_LOG value: info,authelia_controller=debug + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml index f17fb28..580c5fe 100644 --- a/manifests/kustomization.yaml +++ b/manifests/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: authelia resources: + - ./namespace.yaml - ./crds.yaml - ./service-account.yaml - ./cluster-role.yaml diff --git a/manifests/namespace.yaml b/manifests/namespace.yaml new file mode 100644 index 0000000..6c48a0b --- /dev/null +++ b/manifests/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authelia diff --git a/manifests/service-account.yaml b/manifests/service-account.yaml index 81cb08a..1212b25 100644 --- a/manifests/service-account.yaml +++ b/manifests/service-account.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: authelia-controller + namespace: authelia labels: app: authelia-controller app.kubernetes.io/name: authelia-controller