From 10c60618a32968198c500a1fbd8af12915090e01 Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Mon, 24 Nov 2025 11:13:28 +0900
Subject: [PATCH] chore(metabase): set pod security standards and adjust
 resources

---
 CLAUDE.md                              | 12 +++++++
 metabase/metabase-values.gomplate.yaml | 44 +++++++++++++++++++-------
 2 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 8691061..83cc4df 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -107,6 +107,18 @@ All components should have appropriate resource requests and limits configured.
 - Configuration guidelines and examples
 - **Important**: Never set resources below Goldilocks recommendations; always round up to clean values
 
+### Pod Security Standards
+
+All components should be configured with Pod Security Standards set to **restricted** level whenever possible. This ensures the highest level of security by enforcing:
+
+- `runAsNonRoot: true` - Prevents containers from running as root
+- `allowPrivilegeEscalation: false` - Blocks privilege escalation
+- `seccompProfile.type: RuntimeDefault` - Enables seccomp filtering
+- `capabilities.drop: [ALL]` - Drops all Linux capabilities
+- `readOnlyRootFilesystem: false` - May be required for applications that need to write temporary files
+
+Only fall back to **baseline** level if the application specifically requires additional privileges. Document the reason when using baseline instead of restricted.
+
 ### Gomplate Template Pattern
 
 **Environment Variable Management:**
diff --git a/metabase/metabase-values.gomplate.yaml b/metabase/metabase-values.gomplate.yaml
index 1a86772..d7d494b 100644
--- a/metabase/metabase-values.gomplate.yaml
+++ b/metabase/metabase-values.gomplate.yaml
@@ -47,6 +47,17 @@ extraInitContainers:
       - |
         curl -Lso /plugins/starburst.metabase-driver.jar \
           https://github.com/starburstdata/metabase-driver/releases/download/6.1.0/starburst-6.1.0.metabase-driver.jar
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsNonRoot: true
+      runAsUser: 100
+      runAsGroup: 101
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL
 
 extraVolumeMounts:
   - name: plugins
@@ -66,24 +77,35 @@ extraEnv:
   - name: MB_ENABLE_EMBEDDING
     value: "true"
 
-# Resource limits
 resources:
-  limits:
-    memory: 4Gi
-    cpu: 2000m
   requests:
-    memory: 2Gi
+    cpu: 25m
+    memory: 3Gi
+  limits:
     cpu: 500m
+    memory: 8Gi
 
-# Security context
-securityContext:
+# Security context for Pod Security Standards (restricted)
+podSecurityContext:
+  runAsNonRoot: true
   runAsUser: 2000
   runAsGroup: 2000
-  runAsNonRoot: true
-
-# Pod security context
-podSecurityContext:
   fsGroup: 2000
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 2000
+  runAsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
 
 # Service account
 serviceAccount: