fix build

.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__context7__resolve-library-id",
+      "mcp__context7__query-docs"
+    ]
+  }
+}

helm/nginx/templates/deployment.yaml

@@ -1,22 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: { { include "nginx.fullname" . } }
+  name: {{ include "nginx.fullname" . }}
   labels:
-    app: { { include "nginx.name" . } }
+    app: {{ include "nginx.name" . }}
 spec:
-  replicas: { { .Values.replicaCount } }
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app: { { include "nginx.name" . } }
+      app: {{ include "nginx.name" . }}
   template:
     metadata:
       labels:
-        app: { { include "nginx.name" . } }
+        app: {{ include "nginx.name" . }}
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: nginx
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: { { .Values.image.pullPolicy } }
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
-            - containerPort: 80
+            - containerPort: 8080

helm/nginx/templates/service.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: { { include "nginx.fullname" . } }
+  name: {{ include "nginx.fullname" . }}
 spec:
-  type: { { .Values.service.type } }
+  type: {{ .Values.service.type }}
   ports:
-    - port: { { .Values.service.port } }
+    - port: {{ .Values.service.port }}
-      targetPort: 80
+      targetPort: 8080
   selector:
-    app: { { include "nginx.name" . } }
+    app: {{ include "nginx.name" . }}

image/Dockerfile

@@ -1,2 +1,5 @@
 FROM nginx:1.25-alpine
 COPY nginx.conf /etc/nginx/nginx.conf
+RUN chown -R nginx:nginx /var/cache/nginx /var/log/nginx /etc/nginx
+USER nginx
+EXPOSE 8080

image/nginx.conf

@@ -1,7 +1,17 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+
 events {}
+
 http {
+    client_body_temp_path /tmp/client_body;
+    proxy_temp_path /tmp/proxy;
+    fastcgi_temp_path /tmp/fastcgi;
+    uwsgi_temp_path /tmp/uwsgi;
+    scgi_temp_path /tmp/scgi;
+
     server {
-        listen 80;
+        listen 8080;
         location / {
             return 200 'Hello from custom nginx!';
         }

policies/kyverno-image-signature-policy.yaml

@@ -4,21 +4,22 @@ metadata:
   name: require-image-signature
 spec:
   validationFailureAction: Enforce
+  background: false
   rules:
-    - name: verify-image-signature
+  - name: check-image-signature
     match:
-        resources:
+      any:
-          kinds:
+        - resources:
-            - Pod
+            kinds: [Pod]
-      include:
+            namespaces: ["cosign-test"]
-        resources:
-          namespaces:
-            - cosign-test
     verifyImages:
-        - image: "git.ntk.novotelecom.ru/adm/docker-trust*"
+      - imageReferences:
-          key: "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1kmEd1dzkY0MLMhNlkPz8LbX70tdw5acXoKYvOGzcTUK4jppKBCLst121UMC0L5DcgqNE9uly0S78aE8pbIxpBSgVdM8NPRa90vGTi50rauzOGiVRSxOzmkh3BVErqga84U9xb8QmS28rwjdSCbZSx27quzkDrvHwrfid5DroCSkNFQo7Bb84jlgTbrV5KwXkd7G5bMB3qaAzIpBQH+LbKn8/76rlU9/NfUpzftFdOwVVOWQIC7PYU8z2cKI9C+Su+MkrozuGSLrR/Z/urCK9xibrUzRMX7N2v5ORXGhili4pFJG7asxQjPzl2a23iYGkt8c5egxlXWFk4zrVnmawIDAQAB-----END PUBLIC KEY-----"
+          - "git.realmanual.ru/pub/*"
         attestors:
           - entries:
-                - keyless:
+              - keys:
-                    subject: "*"
+                  publicKeys: |-
-                    issuer: "*"
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZZ/9MbR3WZg9K/pk936vukFjeWVt
+                    2oMpW4OmElpIq1aH3jZIA03Hwm7FVdhyumb1vPu5k0DOV8RX4UIs6rkhzA==
+                    -----END PUBLIC KEY-----