From 5bf70a7868dda28d557e977fa63863b20c38743d Mon Sep 17 00:00:00 2001
From: nadmax <maximilien.nadji@pm.me>
Date: Tue, 20 Jan 2026 20:23:43 +0100
Subject: [PATCH] fix: resolve kube-linter errors for container security

---
 .kube-linter.yaml                                  | 3 ++-
 argocd/base/resources/claudecodeui/deployment.yaml | 4 ++++
 argocd/base/resources/n8n/api-key-init.yaml        | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.kube-linter.yaml b/.kube-linter.yaml
index 886d17a..daab52d 100644
--- a/.kube-linter.yaml
+++ b/.kube-linter.yaml
@@ -1,2 +1,3 @@
 checks:
-  exclude: []
+  exclude:
+    - "latest-tag"
diff --git a/argocd/base/resources/claudecodeui/deployment.yaml b/argocd/base/resources/claudecodeui/deployment.yaml
index 9f9b159..cb3e614 100644
--- a/argocd/base/resources/claudecodeui/deployment.yaml
+++ b/argocd/base/resources/claudecodeui/deployment.yaml
@@ -69,6 +69,10 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 10
             timeoutSeconds: 5
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
       volumes:
         - name: data
           persistentVolumeClaim:
diff --git a/argocd/base/resources/n8n/api-key-init.yaml b/argocd/base/resources/n8n/api-key-init.yaml
index e5fc6ec..1472130 100644
--- a/argocd/base/resources/n8n/api-key-init.yaml
+++ b/argocd/base/resources/n8n/api-key-init.yaml
@@ -60,6 +60,9 @@ spec:
         - name: init-api-key
           image: governmentpaas/psql:latest
           securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
             allowPrivilegeEscalation: false
             capabilities:
               drop: ["ALL"]