fix: fixes a lot of checkov errors

build/package/Dockerfile

@@ -11,7 +11,7 @@ RUN make
 
 FROM alpine:3.18 as runner
 
-RUN adduser -u 1000 -s /bin/bash --disabled-password surbot && \
+RUN adduser -u 10000 -s /bin/bash --disabled-password surbot && \
   apk add --no-cache \
     ffmpeg \
     curl \

deployments/templates/deployment.yaml

@@ -2,8 +2,11 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "surbot.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "surbot.labels" . | nindent 4 }}
+  annotations:
+    checkov.io/skip1: CKV_K8S_43
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
@@ -25,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "surbot.serviceAccountName" . }}
+      automountServiceAccountToken: false
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

deployments/templates/serviceaccount.yaml

@@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
   name: {{ include "surbot.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+  automountServiceAccountToken: false
   labels:
     {{- include "surbot.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

deployments/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: ghcr.io/sajfer/surbot
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
@@ -30,7 +30,9 @@ spotify_clientsecret: ""
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
   # fsGroup: 2000
 
 securityContext:
@@ -39,7 +41,8 @@ securityContext:
     - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 1000
+  runAsUser: 10000
+  allowPrivelegeEscalation: false
 
 resources:
   limits: