baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(metabase): set pod security standards and adjust resources

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-24 11:13:28 +09:00
parent 6e9580c7bd
commit 10c60618a3
2 changed files with 45 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CLAUDE.md
View File

@@ -107,6 +107,18 @@ All components should have appropriate resource requests and limits configured.
- Configuration guidelines and examples - Configuration guidelines and examples
- **Important**: Never set resources below Goldilocks recommendations; always round up to clean values - **Important**: Never set resources below Goldilocks recommendations; always round up to clean values
### Pod Security Standards
All components should be configured with Pod Security Standards set to **restricted** level whenever possible. This ensures the highest level of security by enforcing:
- `runAsNonRoot: true` - Prevents containers from running as root
- `allowPrivilegeEscalation: false` - Blocks privilege escalation
- `seccompProfile.type: RuntimeDefault` - Enables seccomp filtering
- `capabilities.drop: [ALL]` - Drops all Linux capabilities
- `readOnlyRootFilesystem: false` - May be required for applications that need to write temporary files
Only fall back to **baseline** level if the application specifically requires additional privileges. Document the reason when using baseline instead of restricted.
### Gomplate Template Pattern ### Gomplate Template Pattern
**Environment Variable Management:** **Environment Variable Management:**

44
metabase/metabase-values.gomplate.yaml
View File

@@ -47,6 +47,17 @@ extraInitContainers:
- | - |
curl -Lso /plugins/starburst.metabase-driver.jar \ curl -Lso /plugins/starburst.metabase-driver.jar \
https://github.com/starburstdata/metabase-driver/releases/download/6.1.0/starburst-6.1.0.metabase-driver.jar https://github.com/starburstdata/metabase-driver/releases/download/6.1.0/starburst-6.1.0.metabase-driver.jar
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
extraVolumeMounts: extraVolumeMounts:
- name: plugins - name: plugins
@@ -66,24 +77,35 @@ extraEnv:
- name: MB_ENABLE_EMBEDDING - name: MB_ENABLE_EMBEDDING
value: "true" value: "true"
# Resource limits
resources: resources:
limits:
memory: 4Gi
cpu: 2000m
requests: requests:
memory: 2Gi cpu: 25m
memory: 3Gi
limits:
cpu: 500m cpu: 500m
memory: 8Gi
# Security context # Security context for Pod Security Standards (restricted)
securityContext: podSecurityContext:
runAsNonRoot: true
runAsUser: 2000 runAsUser: 2000
runAsGroup: 2000 runAsGroup: 2000
runAsNonRoot: true
# Pod security context
podSecurityContext:
fsGroup: 2000 fsGroup: 2000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 2000
runAsGroup: 2000
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
# Service account # Service account
serviceAccount: serviceAccount: