Add RoleBinding for calibre anyuid SCC

- Bind calibre-sa to anyuid SecurityContextConstraints - Enables secure non-root execution for LinuxServer containers - Maintains production security while ensuring container compatibility - Fixes supplementary group issues with s6-overlay
Merge pull request 'fix: remove restrictive securityContext for s6 compatibility' (#1 ) from fix-calibre-permissions into main
2026-01-19 00:40:27 +11:00 · 2026-01-18 05:01:16 +00:00 · 2026-01-18 04:58:51 +00:00 · 2026-01-12 18:35:17 +11:00 · 2026-01-12 18:19:48 +11:00 · 2026-01-12 18:09:36 +11:00
13 changed files with 70 additions and 58 deletions
--- a/bootstrap/calibre-application.yaml
+++ b/bootstrap/calibre-application.yaml
@@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: calibre
  namespace: openshift-gitops
  annotations:
 spec:
  orphanedResources:
    warn: false # Disable warning
  project: default
  destination:
    server: https://kubernetes.default.svc
  source:
    repoURL: https://gitea.apilab.us/cscott/calibre.git
    targetRevision: main
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: false
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
--- a/manifests/deploy.sh
+++ b/manifests/deploy.sh
--- a/manifests/deployment.yml
+++ b/manifests/deployment.yml
@@ -5,6 +5,7 @@ metadata:
  namespace: calibre
  labels:
    app: calibre
    app.kubernetes.io/instance: calibre
    version: latest
    type: third-party
    facing: internal
@@ -21,20 +22,15 @@ spec:
        app: calibre
    spec:
      serviceAccountName: calibre-sa
-      securityContext:
+      securityContext: {}
        runAsUser: 0
        runAsGroup: 0
        fsGroup: 0
      containers:
        - name: calibre
          image: docker.io/linuxserver/calibre-web:latest
          env:
-            - name: PUID
+            - name: S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES
-              value: "1001"
+              value: "1"
            - name: PGID
              value: "1001"
            - name: TZ
-              value: "Europe/Bucharest"
+              value: "Australia/Sydney"
            - name: DOCKER_MODS
              value: "linuxserver/calibre-web:calibre"
          ports:
@@ -46,6 +42,8 @@ spec:
              mountPath: /config
            - name: calibre-books
              mountPath: /books
            - name: run-dir
              mountPath: /run
          resources:
            requests:
              memory: "128Mi"
@@ -56,7 +54,9 @@ spec:
      volumes:
        - name: calibre-config
          persistentVolumeClaim:
-            claimName: calibre-config
+            claimName: calibre-config-csi
        - name: calibre-books
          persistentVolumeClaim:
-            claimName: calibre-books
+            claimName: calibre-books-csi
        - name: run-dir
          emptyDir: {}
--- a/manifests/ns.yml
+++ b/manifests/ns.yml
@@ -0,0 +1,9 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: calibre
  labels:
    app: calibre
    type: third-party
    facing: internal
    argocd.argoproj.io/managed-by: openshift-gitops
--- a/manifests/pvc_books.yml
+++ b/manifests/pvc_books.yml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: calibre-books
+  name: calibre-books-csi
  namespace: calibre
 spec:
  accessModes:
@@ -9,5 +9,4 @@ spec:
  resources:
    requests:
      storage: 8Gi
-  storageClassName: nfs
+  storageClassName: nfs-csi
  volumeName: calibre-books
--- a/manifests/pvc_config.yml
+++ b/manifests/pvc_config.yml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: calibre-config
+  name: calibre-config-csi
  namespace: calibre
 spec:
  accessModes:
@@ -9,5 +9,4 @@ spec:
  resources:
    requests:
      storage: 500Mi
-  storageClassName: nfs
+  storageClassName: nfs-csi
  volumeName: calibre-config
--- a/manifests/rolebinding.yaml
+++ b/manifests/rolebinding.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: calibre-anyuid-working
  namespace: calibre
  labels:
    app: calibre
    app.kubernetes.io/instance: calibre
    type: third-party
 subjects:
 - kind: ServiceAccount
  name: calibre-sa
  namespace: calibre
 roleRef:
  kind: ClusterRole
  name: anyuid-scc-user
  apiGroup: rbac.authorization.k8s.io
--- a/manifests/route.yaml
+++ b/manifests/route.yaml
@@ -6,6 +6,8 @@ metadata:
  annotations:
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: letsencrypt-dns01-cloudflare
  labels:
    app.kubernetes.io/instance: calibre
 spec:
  host: calibre.apilab.us
  path: /
--- a/manifests/service.yaml
+++ b/manifests/service.yaml
@@ -5,6 +5,7 @@ metadata:
  namespace: calibre
  labels:
    app: calibre
    app.kubernetes.io/instance: calibre
 spec:
  selector:
    app: calibre
@@ -13,4 +14,4 @@ spec:
      protocol: TCP
      targetPort: 8083
      port: 80
-
+  type: ClusterIP
--- a/ns.yml
+++ b/ns.yml
@@ -1,8 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
    name: calibre
    labels:
        app: calibre
        type: third-party
        facing: internal
--- a/pv_books.yml
+++ b/pv_books.yml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-books
  namespace: calibre
 spec:
  capacity:
    storage: 8Gi
  nfs:
    server: 192.168.0.105
    path: /nfs/NFS/ocp/calibre/books
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs
--- a/pv_config.yml
+++ b/pv_config.yml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-config
  namespace: calibre
 spec:
  capacity:
    storage: 500Mi
  nfs:
    server: 192.168.0.105
    path: /nfs/NFS/ocp/calibre/config
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs
--- a/scc-updates.sh
+++ b/scc-updates.sh
@@ -1,2 +0,0 @@
 oc create sa calibre-sa -n calibre
 oc adm policy add-scc-to-user anyuid -z calibre-sa -n calibre
Author	SHA1	Message	Date
OpenCode Assistant	673d0346f4	Add RoleBinding for calibre anyuid SCC - Bind calibre-sa to anyuid SecurityContextConstraints - Enables secure non-root execution for LinuxServer containers - Maintains production security while ensuring container compatibility - Fixes supplementary group issues with s6-overlay	2026-01-19 00:40:27 +11:00
Conan Scott	a523c6ab33	Merge pull request 'fix: remove restrictive securityContext for s6 compatibility' (#1 ) from fix-calibre-permissions into main Reviewed-on: #1	2026-01-18 05:01:16 +00:00
Conan Scott	59bdb65dd5	remove securityContext to allow s6 init to run as root	2026-01-18 04:58:51 +00:00
Conan Scott	6bd7d30074	- name: YES_I_WANT_S6_NOT_TO_SUCK value: "please"	2026-01-12 18:35:17 +11:00
Conan Scott	aec7d5b3bb	Added emptyDir for /run. s6 is "fun"	2026-01-12 18:19:48 +11:00
Conan Scott	6483481350	applied runAsUser, Group and fsGroup of 1000 for securitys6 role	2026-01-12 18:09:36 +11:00
Conan Scott	b09719cfa8	I'm gonna wash that SCC right out of my hair	2026-01-12 17:33:58 +11:00
Conan Scott	ac4402349d	no need for load balancer. back to clusterip	2026-01-06 11:34:41 +11:00
Conan Scott	19a9126fae	reorganised	2025-12-30 19:58:08 +11:00
Conan Scott	8aa0a67cd1	added argocd.argoproj.io/managed-by: openshift-gitops to namespace	2025-12-25 12:43:18 +11:00
Conan Scott	1c982a8b3c	added app.kubernetes.io/instance: calibre	2025-12-25 12:27:18 +11:00
Conan Scott	2ef09ffd85	added app.kubernetes.io/instance: calibre	2025-12-25 12:24:44 +11:00
Conan Scott	124097e937	added app.kubernetes.io/instance: calibre	2025-12-25 12:23:33 +11:00
Conan Scott	7fd9dda0bb	added app.kubernetes.io/instance: calibre	2025-12-25 12:21:29 +11:00
Conan Scott	b1d9bb1cf5	Moved to nfs-csi for flexibility and snapshots	2025-12-24 18:08:46 +11:00
Conan Scott	f9752ed1a0	Testing new metallb load balancer	2025-12-18 14:23:00 +11:00
		`@@ -1,2 +0,0 @@`
			`oc create sa calibre-sa -n calibre`
			`oc adm policy add-scc-to-user anyuid -z calibre-sa -n calibre`