From 61a514f759e1d7e40df6f825cd3a2f5abac4902f Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 17 Jun 2026 10:39:33 +0000 Subject: [PATCH] fix(stt): securityContext conforme PodSecurity restricted (ns ai) runAsNonRoot + runAsUser 1000 + seccompProfile RuntimeDefault (pod), allowPrivilegeEscalation false + drop ALL caps (conteneur). Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_013FmcxGsyXZXogiAHQLjnZT --- k8s/apps/stt/deployment.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/k8s/apps/stt/deployment.yaml b/k8s/apps/stt/deployment.yaml index 88c9d7c..79058d9 100644 --- a/k8s/apps/stt/deployment.yaml +++ b/k8s/apps/stt/deployment.yaml @@ -17,9 +17,19 @@ spec: # (cf. README : kubectl create secret docker-registry ghcr-pull ...) imagePullSecrets: - name: ghcr-pull + # Conformité PodSecurity "restricted" (namespace ai) + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: stt-server image: ghcr.io/alkatrazz24/funk-stt-server:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] ports: - containerPort: 8000 env: