diff --git a/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml b/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml index 3d9d4e55f8add..8d4083a729cf3 100644 --- a/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml +++ b/kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml @@ -62,14 +62,15 @@ spec: cpu: 10m limits: memory: 512Mi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: [10000] + seccompProfile: { type: RuntimeDefault } service: app: controller: filebrowser diff --git a/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml index aa5fa3771efa4..9c28b81c7121a 100644 --- a/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml +++ b/kubernetes/storage/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml @@ -106,13 +106,14 @@ spec: initialDelaySeconds: 15 securityContext: *securityContext resources: *resources - pod: - securityContext: - runAsUser: 999 - runAsGroup: 999 - runAsNonRoot: true - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: app: controller: onepassword-connect diff --git a/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml index 225dfcb68038d..086e5344af813 100644 --- a/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml +++ b/kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml @@ -54,27 +54,28 @@ spec: capabilities: { drop: ["ALL"] } seccompProfile: type: RuntimeDefault - pod: - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - runAsNonRoot: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule serviceAccount: create: true name: system-upgrade