chore(trino): set pod security standards and adjust resources

2025-11-23 21:15:17 +09:00
parent 9155fcc697
commit 7fee9a2096
2 changed files with 43 additions and 17 deletions
--- a/trino/justfile
+++ b/trino/justfile
@@ -8,12 +8,16 @@ export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external
 export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
 export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
 export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
-export TRINO_COORDINATOR_MEMORY := env("TRINO_COORDINATOR_MEMORY", "4Gi")
-export TRINO_COORDINATOR_CPU := env("TRINO_COORDINATOR_CPU", "2")
-export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "4G")
-export TRINO_WORKER_MEMORY := env("TRINO_WORKER_MEMORY", "4Gi")
-export TRINO_WORKER_CPU := env("TRINO_WORKER_CPU", "2")
-export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "4G")
+export TRINO_COORDINATOR_MEMORY_REQUEST := env("TRINO_COORDINATOR_MEMORY_REQUEST", "2Gi")
+export TRINO_COORDINATOR_MEMORY_LIMIT := env("TRINO_COORDINATOR_MEMORY_LIMIT", "8Gi")
+export TRINO_COORDINATOR_CPU_REQUEST := env("TRINO_COORDINATOR_CPU_REQUEST", "100m")
+export TRINO_COORDINATOR_CPU_LIMIT := env("TRINO_COORDINATOR_CPU_LIMIT", "4")
+export TRINO_COORDINATOR_JVM_HEAP := env("TRINO_COORDINATOR_JVM_HEAP", "6G")
+export TRINO_WORKER_MEMORY_REQUEST := env("TRINO_WORKER_MEMORY_REQUEST", "2Gi")
+export TRINO_WORKER_MEMORY_LIMIT := env("TRINO_WORKER_MEMORY_LIMIT", "8Gi")
+export TRINO_WORKER_CPU_REQUEST := env("TRINO_WORKER_CPU_REQUEST", "100m")
+export TRINO_WORKER_CPU_LIMIT := env("TRINO_WORKER_CPU_LIMIT", "4")
+export TRINO_WORKER_JVM_HEAP := env("TRINO_WORKER_JVM_HEAP", "6G")
 export TRINO_WORKER_COUNT := env("TRINO_WORKER_COUNT", "2")
 export TRINO_POSTGRES_ENABLED := env("TRINO_POSTGRES_ENABLED", "true")
 export TRINO_ICEBERG_ENABLED := env("TRINO_ICEBERG_ENABLED", "")
@@ -239,6 +243,10 @@ install:
    done
    echo "Installing Trino..."
    just create-namespace
+
+    kubectl label namespace ${TRINO_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
    just create-oauth-client
    just create-password-secret

--- a/trino/trino-values.gomplate.yaml
+++ b/trino/trino-values.gomplate.yaml
@@ -80,7 +80,7 @@ accessControl:

 resourceGroups: {}

-{{- if .Env.TRINO_POSTGRES_ENABLED }}
+{{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
 catalogs:
  postgresql: |
    connector.name=postgresql
@@ -92,7 +92,7 @@ catalogs:
    connector.name=tpch
    tpch.splits-per-node=4

-{{- if .Env.TRINO_ICEBERG_ENABLED }}
+{{- if eq .Env.TRINO_ICEBERG_ENABLED "true" }}
  iceberg: |
    connector.name=iceberg
    iceberg.catalog.type=rest
@@ -164,11 +164,11 @@ coordinator:

  resources:
    requests:
-      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
-      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
+      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_REQUEST }}"
+      cpu: "{{ .Env.TRINO_COORDINATOR_CPU_REQUEST }}"
    limits:
-      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY }}"
-      cpu: "{{ .Env.TRINO_COORDINATOR_CPU }}"
+      memory: "{{ .Env.TRINO_COORDINATOR_MEMORY_LIMIT }}"
+      cpu: "{{ .Env.TRINO_COORDINATOR_CPU_LIMIT }}"

  livenessProbe:
    initialDelaySeconds: 30
@@ -228,11 +228,11 @@ worker:

  resources:
    requests:
-      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
-      cpu: "{{ .Env.TRINO_WORKER_CPU }}"
+      memory: "{{ .Env.TRINO_WORKER_MEMORY_REQUEST }}"
+      cpu: "{{ .Env.TRINO_WORKER_CPU_REQUEST }}"
    limits:
-      memory: "{{ .Env.TRINO_WORKER_MEMORY }}"
-      cpu: "{{ .Env.TRINO_WORKER_CPU }}"
+      memory: "{{ .Env.TRINO_WORKER_MEMORY_LIMIT }}"
+      cpu: "{{ .Env.TRINO_WORKER_CPU_LIMIT }}"

  livenessProbe:
    initialDelaySeconds: 30
@@ -276,9 +276,27 @@ initContainers: {}

 sidecarContainers: {}

+# Security context for Pod Security Standards (restricted)
 securityContext:
+  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
+  seccompProfile:
+    type: RuntimeDefault
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

 shareProcessNamespace:
  coordinator: false
@@ -298,7 +316,7 @@ env:
      secretKeyRef:
        name: trino-oauth-secret
        key: client_secret
-{{- if .Env.TRINO_POSTGRES_ENABLED }}
+{{- if eq .Env.TRINO_POSTGRES_ENABLED "true" }}
  - name: POSTGRES_USER
    valueFrom:
      secretKeyRef: