Use proper security contexts for NFS access without chown

Changes: - Set fsGroup: 33 at pod level for proper NFS group access - Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership - Run git-server container as UID 1001:33 (non-root) - Run cgit container as UID 33:33 (non-root) - Disabled SSH privilege separation (UsePrivilegeSeparation no) - Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT) This follows the same pattern as filebrowser and webdav services, using security contexts instead of chown operations on NFS. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-01-09 20:54:56 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-09 20:54:56 +0200
commit: c45d171de3a3ff27816edeed7d9758c9bea231d8 (patch)
tree: a551d8ca5f7866fa2e64090485678c5efc377c24 /f3s/git-server/helm-chart
parent: d238b13e4f644a3ccdb6c18ce54767a50db8b39e (diff)
1 files changed, 10 insertions, 8 deletions
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 7a7ed57..f5ded3a 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -15,6 +15,8 @@ spec:
       labels:
         app: git-server
     spec:
+      securityContext:
+        fsGroup: 33
       initContainers:
       - name: setup
         image: alpine:3.19
@@ -27,8 +29,9 @@ spec:
           chown -R 0:0 /ssh-init
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
+          # UID 1001 and GID 33 match the NFS file ownership
           cp /ssh-keys-secret/authorized_keys /ssh-git/authorized_keys
-          chown -R 1000:1000 /ssh-git
+          chown -R 1001:33 /ssh-git
           chmod 755 /ssh-git
           chmod 644 /ssh-git/authorized_keys
         volumeMounts:
@@ -57,12 +60,11 @@ spec:
         - name: ssh-host-keys
           mountPath: /etc/ssh
         securityContext:
-          runAsUser: 0
-          runAsGroup: 0
+          runAsUser: 1001
+          runAsGroup: 33
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
-            add: ["SYS_CHROOT", "SETGID", "SETUID"]
         resources:
           requests:
             cpu: 50m
@@ -77,9 +79,9 @@ spec:
         command: ["/bin/sh", "-c"]
         args:
         - |
-          # Remove 'user nginx;' directive to avoid setgid errors when running as root
+          # Remove 'user nginx;' directive to avoid setgid errors
           sed -i 's/^user nginx;//' /etc/nginx/nginx.conf
-          # Start fcgiwrap and set socket permissions for nginx user
+          # Start fcgiwrap and set socket permissions
           spawn-fcgi -s /var/run/fcgiwrap.sock -n -- /usr/bin/fcgiwrap &
           sleep 1
           chmod 666 /var/run/fcgiwrap.sock
@@ -104,8 +106,8 @@ spec:
           subPath: cgitrc
           readOnly: true
         securityContext:
-          runAsUser: 0
-          runAsGroup: 0
+          runAsUser: 33
+          runAsGroup: 33
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
author	Paul Buetow <paul@buetow.org>	2026-01-09 20:54:56 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-09 20:54:56 +0200
commit	c45d171de3a3ff27816edeed7d9758c9bea231d8 (patch)
tree	a551d8ca5f7866fa2e64090485678c5efc377c24 /f3s/git-server/helm-chart
parent	d238b13e4f644a3ccdb6c18ce54767a50db8b39e (diff)