diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index 3939c34b2f11d7a24c830c7adb69ec77c2b11ce2..0be19e65e71b96f3aed4630979f5d2d75175a4d8 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -11,7 +11,7 @@ sources:
- https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/mastodon
type: application
-version: 6.0.5
+version: 6.0.6
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.3"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index 777de95dd34453fcc7e8d3359b39f0441fb48382..5ce51471a648ff6967c369f55d8cfe3ee7dc2982 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -106,7 +106,7 @@ Mastodon is a free, open-source social network server based on ActivityPub.
| mastodon.web.port | int | `3000` | |
| mastodon.web.replicas | int | `1` | Number of Web Pods running |
| mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
-| mastodon.web.securityContext | Web Container | `{}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.securityContext | Web Container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
| mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
| podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
| podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsUser":991}` | https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 if you manually change the UID/GID environment variables, ensure these values match: |
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 43b8df2db9816d1266f731ffa0d2bbadd76f175b..5f28d6107aab30bfc2f6c416b08207de256fbca2 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -106,6 +106,9 @@ should match basic snapshot:
httpGet:
path: /health
port: http
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
httpGet:
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index 25ed14865b2676a6e3396d87371ff31e31c72d63..5542a5d802550daba4ca3ae78032ddfd34198c87 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -181,7 +181,9 @@ mastodon:
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
resources: {}
# limits: