add kyverno policies

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-27 19:23:54 -04:00
parent 4be877e419
commit baa0216960
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
35 changed files with 843 additions and 39 deletions

View file

@ -15,8 +15,16 @@ spec:
labels:
app: audiobookshelf
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: audiobookshelf
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
image: ghcr.io/advplyr/audiobookshelf:2.35.0
imagePullPolicy: IfNotPresent
ports:

View file

@ -15,8 +15,17 @@ spec:
labels:
app: navidrome
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: navidrome
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: false
image: deluan/navidrome:pr-5495
ports:
- containerPort: 4533

View file

@ -14,9 +14,15 @@ spec:
app: stirling-pdf
spec:
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: stirling-pdf
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:2.11.0-fat
resources:
requests:
@ -43,7 +49,25 @@ spec:
- name: stirling-data
mountPath: /pipeline
subPath: pipeline
- name: stirling-user
mountPath: /home
- name: tmp
mountPath: /tmp
- name: stirling
mountPath: /tmp/stirling-pdf
- name: app-data
mountPath: /usr/local/bin
volumes:
- name: stirling-data
persistentVolumeClaim:
claimName: stirling-data
- name: tmp
emptyDir: {}
- name: stirling
emptyDir: {}
- name: app-data
emptyDir: {}
- name: stirling-user
emptyDir: {}

View file

@ -12,8 +12,17 @@ spec:
labels:
app.kubernetes.io/name: yopass
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: yopass
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: false
image: jhaals/yopass:13.1.0
args:
- "--memcached=localhost:11211"