chore(metabase): set pod security standards and adjust resources

2025-11-24 11:13:28 +09:00
parent 6e9580c7bd
commit 10c60618a3
2 changed files with 45 additions and 11 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -107,6 +107,18 @@ All components should have appropriate resource requests and limits configured.
 - Configuration guidelines and examples
 - **Important**: Never set resources below Goldilocks recommendations; always round up to clean values

+### Pod Security Standards
+
+All components should be configured with Pod Security Standards set to **restricted** level whenever possible. This ensures the highest level of security by enforcing:
+
+- `runAsNonRoot: true` - Prevents containers from running as root
+- `allowPrivilegeEscalation: false` - Blocks privilege escalation
+- `seccompProfile.type: RuntimeDefault` - Enables seccomp filtering
+- `capabilities.drop: [ALL]` - Drops all Linux capabilities
+- `readOnlyRootFilesystem: false` - May be required for applications that need to write temporary files
+
+Only fall back to **baseline** level if the application specifically requires additional privileges. Document the reason when using baseline instead of restricted.
+
 ### Gomplate Template Pattern

 **Environment Variable Management:**
--- a/metabase/metabase-values.gomplate.yaml
+++ b/metabase/metabase-values.gomplate.yaml
@@ -47,6 +47,17 @@ extraInitContainers:
      - |
        curl -Lso /plugins/starburst.metabase-driver.jar \
          https://github.com/starburstdata/metabase-driver/releases/download/6.1.0/starburst-6.1.0.metabase-driver.jar
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsNonRoot: true
+      runAsUser: 100
+      runAsGroup: 101
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL

 extraVolumeMounts:
  - name: plugins
@@ -66,24 +77,35 @@ extraEnv:
  - name: MB_ENABLE_EMBEDDING
    value: "true"

-# Resource limits
 resources:
-  limits:
-    memory: 4Gi
-    cpu: 2000m
  requests:
-    memory: 2Gi
+    cpu: 25m
+    memory: 3Gi
+  limits:
    cpu: 500m
+    memory: 8Gi

-# Security context
-securityContext:
+# Security context for Pod Security Standards (restricted)
+podSecurityContext:
+  runAsNonRoot: true
  runAsUser: 2000
  runAsGroup: 2000
-  runAsNonRoot: true
-
-# Pod security context
-podSecurityContext:
  fsGroup: 2000
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 2000
+  runAsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

 # Service account
 serviceAccount: