Skip to content

Commit

Permalink
chore(esphome): Enforce restricted pod security
Browse files Browse the repository at this point in the history
  • Loading branch information
@gabe565
gabe565 committed Oct 20, 2024
1 parent 7909935 commit 4acae0f
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 7 deletions.
18 changes: 11 additions & 7 deletions kubernetes/gabernetes/apps/esphome/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ spec:
matchLabels:
app.kubernetes.io/name: esphome
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }

controllers:
esphome:
Expand All @@ -42,6 +45,7 @@ spec:
env:
TZ: America/Chicago
ESPHOME_DASHBOARD_USE_PING: true
PLATFORMIO_CORE_DIR: .tmp/platformio
probes:
startup:
enabled: true
Expand All @@ -54,6 +58,8 @@ spec:
enabled: true
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities: { drop: [ALL] }
pod:
terminationGracePeriodSeconds: 1
dnsConfig:
Expand All @@ -76,14 +82,16 @@ spec:
- --disable-update-check
- --auth=none
- --user-data-dir=/config/.vscode
- --extensions-dir=/config/.vscode
- /config
resources:
limits:
cpu: 500m
memory: 500Mi
securityContext:
readOnlyRootFilesystem: true
runAsUser: 0
allowPrivilegeEscalation: false
capabilities: { drop: [ALL] }
pod:
labels:
policy.gabe565.com/egress-world: "true"
Expand All @@ -108,13 +116,9 @@ spec:
accessMode: ReadWriteMany
size: 8Gi
retain: true
code-config:
nonexistent:
enabled: true
type: emptyDir
advancedMounts:
code:
app:
- path: /root/.config

ingress:
esphome:
Expand Down
1 change: 1 addition & 0 deletions kubernetes/gabernetes/apps/esphome/borgmatic/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ spec:
- /esphome-config
exclude_patterns:
- /esphome-config/.esphome
- /esphome-config/.tmp
- /esphome-config/build
archive_name_format: "esphome-{now:%Y-%m-%d-%H%M%S}"
ssh_command: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=ERROR
Expand Down
2 changes: 2 additions & 0 deletions kubernetes/gabernetes/apps/esphome/namespace.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@ apiVersion: v1
kind: Namespace
metadata:
name: esphome
labels:
pod-security.kubernetes.io/enforce: restricted

0 comments on commit 4acae0f

Please sign in to comment.