fix(media): remove incompatible security context from kaizoku and flaresolverr #198

Merged

Exikle merged 1 commit from fix/media-puid-pgid-security into main 2026-06-03 12:11:41 +00:00

Conversation 1 Commits 1 Files changed 4 +59 -58

Exikle commented 2026-06-03 12:08:43 +00:00

Owner

Copy link

No description provided.

Exikle added 1 commit 2026-06-03 12:08:43 +00:00

fix(media): remove incompatible security context from kaizoku and flaresolverr ... b561de8f53

kaizoku uses a PUID/PGID-style entrypoint that starts as root to create
its own user — runAsUser/runAsNonRoot/readOnlyRootFilesystem all break it.
flaresolverr runs Chromium which writes to its profile directory outside
/tmp — readOnlyRootFilesystem breaks it even with a /tmp emptyDir.

Also update review-app skill checklists with A19/A20 advisory items and
H8-H10/H22-H24 N/A exceptions so this class of image is handled correctly
in future reviews.

Exikle scheduled this pull request to auto merge when all checks succeed 2026-06-03 12:08:53 +00:00

Exikle added the

area/kubernetes

area/media

labels 2026-06-03 12:09:12 +00:00

dusk-bot commented 2026-06-03 12:11:09 +00:00

Collaborator

Copy link

Kustomization diff

@@ spec.values.controllers.flaresolverr.containers.app.securityContext @@
# helm.toolkit.fluxcd.io/v2/HelmRelease/media/flaresolverr
! - one map entry removed:
- readOnlyRootFilesystem: true

@@ spec.values.controllers.kaizoku.containers.app @@
# helm.toolkit.fluxcd.io/v2/HelmRelease/media/kaizoku
! - one map entry removed:
- securityContext:
-   allowPrivilegeEscalation: false
-   capabilities:
-     drop:
-     - ALL
-   readOnlyRootFilesystem: true

@@ spec.values.defaultPodOptions.securityContext @@
# helm.toolkit.fluxcd.io/v2/HelmRelease/media/kaizoku
! - three map entries removed:
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 99

HelmRelease diff

@@ spec.template.spec.containers.app.securityContext @@
# apps/v1/Deployment/media/flaresolverr
! - one map entry removed:
- readOnlyRootFilesystem: true

@@ spec.template.spec.containers.app @@
# apps/v1/Deployment/media/kaizoku
! - one map entry removed:
- securityContext:
-   allowPrivilegeEscalation: false
-   capabilities:
-     drop:
-     - ALL
-   readOnlyRootFilesystem: true

@@ spec.template.spec.securityContext @@
# apps/v1/Deployment/media/kaizoku
! - three map entries removed:
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 99

_{Diff created by flate — Workflow run}

<!-- flate --> <details open><summary>Kustomization diff</summary> ```diff @@ spec.values.controllers.flaresolverr.containers.app.securityContext @@ # helm.toolkit.fluxcd.io/v2/HelmRelease/media/flaresolverr ! - one map entry removed: - readOnlyRootFilesystem: true @@ spec.values.controllers.kaizoku.containers.app @@ # helm.toolkit.fluxcd.io/v2/HelmRelease/media/kaizoku ! - one map entry removed: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true @@ spec.values.defaultPodOptions.securityContext @@ # helm.toolkit.fluxcd.io/v2/HelmRelease/media/kaizoku ! - three map entries removed: - runAsGroup: 100 - runAsNonRoot: true - runAsUser: 99 ``` </details> <details open><summary>HelmRelease diff</summary> ```diff @@ spec.template.spec.containers.app.securityContext @@ # apps/v1/Deployment/media/flaresolverr ! - one map entry removed: - readOnlyRootFilesystem: true @@ spec.template.spec.containers.app @@ # apps/v1/Deployment/media/kaizoku ! - one map entry removed: - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true @@ spec.template.spec.securityContext @@ # apps/v1/Deployment/media/kaizoku ! - three map entries removed: - runAsGroup: 100 - runAsNonRoot: true - runAsUser: 99 ``` </details> _{Diff created by [flate](https://github.com/home-operations/flate) — [Workflow run](https://git.dcunha.io/Exikle/Artemis-Cluster/actions/runs/754)}

Exikle merged commit fcf8f8455c into main 2026-06-03 12:11:41 +00:00

Exikle deleted branch fix/media-puid-pgid-security 2026-06-03 12:11:42 +00:00

Exikle referenced this pull request from a commit 2026-06-03 12:11:43 +00:00

fix(media): remove incompatible security context from kaizoku and flaresolverr (#198)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area/bootstrap

Issues related to cluster bootstrapping

  

area/ci

Issues related to Forgejo workflows and automation

  

area/flux

Issues related to Flux CD configuration

  

area/kubernetes

Issues related to Kubernetes configuration

  

area/media

Issues related to media stack configuration

  

area/observability

Issues related to observability configuration

  

area/renovate

Issues related to Renovate configuration and automation

  

area/talos

Issues related to TalosOS configuration and operations

  

community

Community contributions and discussions

  

hold

Do not merge - work in progress or blocked

  

hold/upstream

Blocked waiting for upstream fix or update

  

priority/high

High priority issues

  

priority/low

Low priority issues

  

priority/medium

Medium priority issues

  

renovate/container

Container image updates from Renovate

  

renovate/forgejo-action

Forgejo Action updates from Renovate

  

renovate/github-release

GitHub Release updates from Renovate

  

renovate/grafana-dashboard

Grafana dashboard updates from Renovate

  

renovate/helm

Helm chart updates from Renovate

  

type/digest

Container digest updates (same version, new build)

  

type/major

Major version updates (breaking changes)

  

type/minor

Minor version updates (new features, backward compatible)

  

type/patch

Patch version updates (bug fixes)

No labels

area/bootstrap

area/ci

area/flux

area/kubernetes

area/media

area/observability

area/renovate

area/talos

community

hold

hold/upstream

priority/high

priority/low

priority/medium

renovate/container

renovate/forgejo-action

renovate/github-release

renovate/grafana-dashboard

renovate/helm

type/digest

type/major

type/minor

type/patch

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Exikle/Artemis-Cluster!198

No description provided.