Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add roon ecosystem #330

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: add roon ecosystem #330

wants to merge 6 commits into from

Conversation

volschin
Copy link
Owner

@volschin volschin commented Jul 17, 2024
edited
Loading

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 17, 2024
edited
Loading 

--- kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/roon

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/roon

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+    kustomize.toolkit.fluxcd.io/prune: disabled
+  name: roon
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/roon-server

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/roon-server

@@ -0,0 +1,44 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-server
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: roon-server
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  dependsOn:
+  - name: external-secrets-stores
+  interval: 120m
+  path: ./kubernetes/apps/roon/roon-server/app
+  postBuild:
+    substitute:
+      APP: roon-server
+      VOLSYNC_CAPACITY: 5Gi
+      VOLSYNC_CLAIM: roon-data
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+    - kind: ConfigMap
+      name: cluster-user-settings
+      optional: true
+    - kind: Secret
+      name: cluster-user-secrets
+      optional: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  targetNamespace: home
+  wait: true
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server Service: home/roonserver

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server Service: home/roonserver

@@ -0,0 +1,21 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: roon.lan
+  labels:
+    app: roonserver
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roonserver
+  namespace: home
+spec:
+  ports:
+  - name: roon
+    port: 9330
+    targetPort: 9330
+  selector:
+    app: roonserver
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server Deployment: home/roonserver

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server Deployment: home/roonserver

@@ -0,0 +1,88 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+    service: roonserver
+  name: roonserver
+  namespace: home
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: roonserver
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: roonserver
+    spec:
+      containers:
+      - env:
+        - name: TZ
+          value: null
+        image: volschin/roon:latest
+        name: roonserver
+        ports:
+        - containerPort: 9101
+          protocol: TCP
+        - containerPort: 9102
+          protocol: TCP
+        - containerPort: 9103
+          protocol: TCP
+        - containerPort: 9104
+          protocol: TCP
+        - containerPort: 9105
+          protocol: TCP
+        - containerPort: 9106
+          protocol: TCP
+        - containerPort: 9107
+          protocol: TCP
+        - containerPort: 9108
+          protocol: TCP
+        - containerPort: 9109
+          protocol: TCP
+        - containerPort: 9110
+          protocol: TCP
+        - containerPort: 9332
+          protocol: TCP
+        - containerPort: 9330
+          protocol: TCP
+        - containerPort: 9003
+          protocol: UDP
+        resources:
+          limits:
+            memory: 4Gi
+          requests:
+            memory: 500Mi
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /app
+          name: roon-app
+        - mountPath: /music
+          name: roon-music
+        - mountPath: /data
+          name: roon-data
+        - mountPath: /backup
+          name: roon-backup
+      hostNetwork: true
+      hostname: roonserver
+      volumes:
+      - name: roon-app
+        persistentVolumeClaim:
+          claimName: roon-app
+      - name: roon-music
+        persistentVolumeClaim:
+          claimName: roon-music
+      - name: roon-data
+        persistentVolumeClaim:
+          claimName: roon-data
+      - name: roon-backup
+        persistentVolumeClaim:
+          claimName: roon-backup
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-data

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-data

@@ -0,0 +1,20 @@

+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-data
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 10Gi
+  nfs:
+    path: /volume1/data/music/roon-data
+    server: store.lan
+  persistentVolumeReclaimPolicy: Retain
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-data

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-data

@@ -0,0 +1,19 @@

+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    volume.beta.kubernetes.io/storage-class: ''
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-data
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-music

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-music

@@ -0,0 +1,20 @@

+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-music
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 10Gi
+  nfs:
+    path: /volume1/data/music/library
+    server: store.lan
+  persistentVolumeReclaimPolicy: Retain
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-music

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-music

@@ -0,0 +1,19 @@

+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    volume.beta.kubernetes.io/storage-class: ''
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-music
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-app

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-app

@@ -0,0 +1,20 @@

+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-app
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 10Gi
+  nfs:
+    path: /volume1/data/music/roon-app
+    server: store.lan
+  persistentVolumeReclaimPolicy: Retain
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-app

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-app

@@ -0,0 +1,19 @@

+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    volume.beta.kubernetes.io/storage-class: ''
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-app
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-backup

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolume: home/roon-backup

@@ -0,0 +1,20 @@

+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-backup
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 10Gi
+  nfs:
+    path: /volume1/data/music/roon-backup
+    server: store.lan
+  persistentVolumeReclaimPolicy: Retain
+
--- kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-backup

+++ kubernetes/apps/roon/roon-server/app Kustomization: flux-system/roon-server PersistentVolumeClaim: home/roon-backup

@@ -0,0 +1,19 @@

+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    volume.beta.kubernetes.io/storage-class: ''
+  labels:
+    app.kubernetes.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/name: roon-server
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: roon-backup
+  namespace: home
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 17, 2024
View reviewed changes
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
kubernetes/apps/roon/roon-server/app/manifest.yaml Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 5, 2024
View reviewed changes
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Ensure that the seccomp profile is set to docker/default or runtime/default Error

Ensure that the seccomp profile is set to docker/default or runtime/default
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Image should use digest Error

Image should use digest
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Minimize the admission of root containers Error

Minimize the admission of root containers
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Apply security context to your pods and containers Error

Apply security context to your pods and containers
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

CPU limits should be set Error

CPU limits should be set
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Image Tag should be fixed - not latest or blank Error

Image Tag should be fixed - not latest or blank
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Minimize the admission of containers with capabilities assigned Error

Minimize the admission of containers with capabilities assigned
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Minimize the admission of containers with the NET_RAW capability Error

Minimize the admission of containers with the NET_RAW capability
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Containers should not share the host network namespace Error

Containers should not share the host network namespace
kubernetes/apps/roon/roon-server/app/manifest.yaml
Comment on lines +19 to +105
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
service: roonserver
name: roonserver
namespace: roon
spec:
strategy:
type: Recreate
replicas: 1
selector:
matchLabels:
app: roonserver
template:
metadata:
labels:
app: roonserver
spec:
hostNetwork: true
hostname: roonserver
containers:
- image: volschin/roon:latest
securityContext:
privileged: true
name: roonserver
env:
- name: TZ
value: "${TZ}"
ports:
- containerPort: 9101
protocol: TCP
- containerPort: 9102
protocol: TCP
- containerPort: 9103
protocol: TCP
- containerPort: 9104
protocol: TCP
- containerPort: 9105
protocol: TCP
- containerPort: 9106
protocol: TCP
- containerPort: 9107
protocol: TCP
- containerPort: 9108
protocol: TCP
- containerPort: 9109
protocol: TCP
- containerPort: 9110
protocol: TCP
- containerPort: 9332
protocol: TCP
- containerPort: 9330
protocol: TCP
- containerPort: 9003
protocol: UDP
resources:
requests:
memory: 500Mi
limits:
memory: 4Gi
volumeMounts:
- mountPath: /app
name: roon-app
- mountPath: /music
name: roon-music
- mountPath: /data
name: roon-data
- mountPath: /backup
name: roon-backup

volumes:
- name: roon-app
persistentVolumeClaim:
claimName: roon-app
- name: roon-music
persistentVolumeClaim:
claimName: roon-music
- name: roon-data
persistentVolumeClaim:
claimName: roon-data
- name: roon-backup
persistentVolumeClaim:
claimName: roon-backup

# Data Volume
---

Check failure

Code scanning / checkov

Minimize the admission of pods which lack an associated NetworkPolicy Error

Minimize the admission of pods which lack an associated NetworkPolicy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/k8s ns/media
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@volschin