From e15f3d17ba5686e991ace7e1dcd1f24fe4984f7e Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Thu, 15 Feb 2024 10:34:04 +0200 Subject: [PATCH] pihole - add missing caps (#2170) --- library/ix-dev/charts/pihole/Chart.yaml | 2 +- library/ix-dev/charts/pihole/metadata.yaml | 2 ++ library/ix-dev/charts/pihole/templates/_pihole.tpl | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ix-dev/charts/pihole/Chart.yaml b/library/ix-dev/charts/pihole/Chart.yaml index fa98d6969c..4f328962ac 100644 --- a/library/ix-dev/charts/pihole/Chart.yaml +++ b/library/ix-dev/charts/pihole/Chart.yaml @@ -3,7 +3,7 @@ description: DNS and Ad-filtering for your network. annotations: title: Pi-hole type: application -version: 2.0.0 +version: 2.0.1 apiVersion: v2 appVersion: 2023.11.0 kubeVersion: '>=1.16.0-0' diff --git a/library/ix-dev/charts/pihole/metadata.yaml b/library/ix-dev/charts/pihole/metadata.yaml index f24c69667b..30e578c565 100644 --- a/library/ix-dev/charts/pihole/metadata.yaml +++ b/library/ix-dev/charts/pihole/metadata.yaml @@ -17,6 +17,8 @@ capabilities: description: Pi-hole is able to set user ID for it's sub-processes. - name: SETFCAP description: Pi-hole is able to set file capabilities. + - name: SETPCAP + description: Pi-hole is able to set process capabilities. - name: NET_ADMIN description: Pi-hole is able to perform various network-related operations. - name: KILL diff --git a/library/ix-dev/charts/pihole/templates/_pihole.tpl b/library/ix-dev/charts/pihole/templates/_pihole.tpl index b46fafa8ae..f37f53d726 100644 --- a/library/ix-dev/charts/pihole/templates/_pihole.tpl +++ b/library/ix-dev/charts/pihole/templates/_pihole.tpl @@ -16,6 +16,7 @@ workload: runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN @@ -25,6 +26,7 @@ workload: - SETGID - SETUID - SETFCAP + - SETPCAP - KILL env: WEB_PORT: {{ .Values.piholeNetwork.webPort }}