feat: Add security context to linkding

2026-04-18 10:57:01 -04:00
parent ae768dfc95
commit 58db56ba09
2 changed files with 20 additions and 6 deletions
--- a/apps/hydra/linkding/deployment.yaml
+++ b/apps/hydra/linkding/deployment.yaml
@@ -21,9 +21,15 @@ spec:
        ports:
        - containerPort: 9090
        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /etc/linkding/data
          name: data
+      securityContext:
+        fsGroup: 33
+        runAsGroup: 33
+        runAsUser: 33
      volumes:
      - name: data
        persistentVolumeClaim:
--- a/pkg/linkding/linkding.go
+++ b/pkg/linkding/linkding.go
@@ -32,19 +32,25 @@ func Stack() stack.Stack {
 func deployment() apps.Deployment {
 	storage := kube.NewVolumeFrom(kube.VolumeSourcePVC, "data", pvc.Name)
 	pod_spec := core.PodSpec{
+		SecurityContext: &core.PodSecurityContext{
+			RunAsUser:  new(int64(33)), // www-data user ID
+			RunAsGroup: new(int64(33)),
+			FSGroup:    new(int64(33)),
+		},
 		Containers: []core.Container{
 			{
 				Name:  root.Linkding.Name,
 				Image: root.Linkding.Image,
+				SecurityContext: &core.SecurityContext{
+					AllowPrivilegeEscalation: new(false),
+				},
 				Ports: []core.ContainerPort{{
 					ContainerPort: root.Linkding.Port,
 				}},
-				VolumeMounts: []core.VolumeMount{
-					{
+				VolumeMounts: []core.VolumeMount{{
 					Name:      storage.Name,
 					MountPath: "/etc/linkding/data",
-					},
-				},
+				}},
 			},
 		},
 		Volumes: []core.Volume{
@@ -53,3 +59,5 @@ func deployment() apps.Deployment {
 	}
 	return kube.NewDeployment(meta, pod_spec)
 }
+
+// kubectl --kubeconfig ~/.kube/hydra -n linkding exec -it linking-67f686679d-2tfrk -- python manage.py createsuperuser --username=daniel --email=danicosme@pm.me