chore(airflow): set pod security standards

2025-11-23 14:59:47 +09:00
parent b2bc03013c
commit 0957ef9791
2 changed files with 139 additions and 22 deletions
--- a/airflow/airflow-values.gomplate.yaml
+++ b/airflow/airflow-values.gomplate.yaml
@@ -71,6 +71,16 @@ workers:
      volumeMounts:
        - name: extra-packages
          mountPath: /opt/airflow/site-packages
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 0
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
  extraVolumes:
    - name: extra-packages
      emptyDir: {}
@@ -100,6 +110,16 @@ scheduler:
      volumeMounts:
        - name: extra-packages
          mountPath: /opt/airflow/site-packages
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 0
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
  extraVolumes:
    - name: extra-packages
      emptyDir: {}
@@ -122,6 +142,16 @@ dagProcessor:
      volumeMounts:
        - name: extra-packages
          mountPath: /opt/airflow/site-packages
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 0
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
  extraVolumes:
    - name: extra-packages
      emptyDir: {}
@@ -135,6 +165,60 @@ dagProcessor:
 flower:
  enabled: false

+# StatsD configuration with Prometheus exporter
+statsd:
+  enabled: true
+  securityContexts:
+    pod:
+      runAsNonRoot: true
+      runAsUser: 65534
+      runAsGroup: 65534
+      fsGroup: 65534
+      seccompProfile:
+        type: RuntimeDefault
+    container:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 65534
+      runAsGroup: 65534
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
+
+{{- if .Env.MONITORING_ENABLED }}
+# Prometheus metrics configuration
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+    interval: 30s
+    selector:
+      release: kube-prometheus-stack
+{{- end }}
+
+# Redis security context for restricted Pod Security Standard
+redis:
+  securityContexts:
+    pod:
+      runAsNonRoot: true
+      runAsUser: 999
+      runAsGroup: 999
+      fsGroup: 999
+      seccompProfile:
+        type: RuntimeDefault
+    container:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 999
+      runAsGroup: 999
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
+
 postgresql:
  enabled: false

@@ -163,11 +247,23 @@ ingress:
        tls:
          enabled: true

-# Security contexts for shared file system access (compatible with JupyterHub)
+# Security contexts for restricted Pod Security Standard
+# Also compatible with shared file system access (JupyterHub)
 securityContexts:
  pod:
+    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 0
    fsGroup: 101
+    seccompProfile:
+      type: RuntimeDefault
  container:
    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 0
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL