forgejo: runner rootless dind (v2.6)

jaredallard · jaredallard · commit 7b00d28481f4 · 2025-03-09T13:54:41.000-07:00
diff --git a/manifests/apps/by-cluster/rgst/forgejo.jsonnet b/manifests/apps/by-cluster/rgst/forgejo.jsonnet
@@ -149,10 +149,6 @@ local all = {
           labels: {
             app: $.runner.spec.selector.matchLabels.app,
           },
-          annotations: {
-            'container.apparmor.security.beta.kubernetes.io/docker': 'unconfined',
-            'container.seccomp.security.alpha.kubernetes.io/docker': 'unconfined',
-          },
         },
         spec: {
           nodeSelector: {
@@ -249,6 +245,8 @@ local all = {
                 'unix://' + dind_sock,
               ],
               securityContext: {
+                seccompProfile: { type: 'Unconfined' },
+                appArmorProfile: { type: 'Unconfined' },
                 privileged: true,
                 runAsUser: 1000,
                 runAsGroup: 1000,
