chore(metabase): set pod security standards and adjust resources

2025-11-24 11:13:28 +09:00
parent 6e9580c7bd
commit 10c60618a3
2 changed files with 45 additions and 11 deletions
--- a/metabase/metabase-values.gomplate.yaml
+++ b/metabase/metabase-values.gomplate.yaml
@@ -47,6 +47,17 @@ extraInitContainers:
      - |
        curl -Lso /plugins/starburst.metabase-driver.jar \
          https://github.com/starburstdata/metabase-driver/releases/download/6.1.0/starburst-6.1.0.metabase-driver.jar
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsNonRoot: true
+      runAsUser: 100
+      runAsGroup: 101
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL

 extraVolumeMounts:
  - name: plugins
@@ -66,24 +77,35 @@ extraEnv:
  - name: MB_ENABLE_EMBEDDING
    value: "true"

-# Resource limits
 resources:
-  limits:
-    memory: 4Gi
-    cpu: 2000m
  requests:
-    memory: 2Gi
+    cpu: 25m
+    memory: 3Gi
+  limits:
    cpu: 500m
+    memory: 8Gi

-# Security context
-securityContext:
+# Security context for Pod Security Standards (restricted)
+podSecurityContext:
+  runAsNonRoot: true
  runAsUser: 2000
  runAsGroup: 2000
-  runAsNonRoot: true
-
-# Pod security context
-podSecurityContext:
  fsGroup: 2000
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 2000
+  runAsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

 # Service account
 serviceAccount: