chore(superset): set pod security standards

2025-11-23 21:14:45 +09:00
parent 8b2fe12a8c
commit 9155fcc697
3 changed files with 259 additions and 1 deletions
--- a/superset/superset-values.gomplate.yaml
+++ b/superset/superset-values.gomplate.yaml
@@ -1,5 +1,5 @@
 # Apache Superset Helm values
-# Generated by gomplate
+# https://github.com/apache/superset/tree/master/helm/superset

 # Service configuration
 service:
@@ -26,9 +26,88 @@ init:
  createAdmin: false
  loadExamples: false

+  # Security context for Pod Security Standards (baseline)
+  podSecurityContext:
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+    seccompProfile:
+      type: RuntimeDefault
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+  initContainers:
+    - name: copy-venv
+      image: apachesuperset.docker.scarf.sh/apache/superset:5.0.0
+      command:
+        - sh
+        - -c
+        - |
+          if [ ! -d /venv-target/lib ]; then
+            echo "Copying .venv to emptyDir..."
+            cp -a /app/.venv/. /venv-target/
+            chown -R 1000:1000 /venv-target
+          else
+            echo ".venv already initialized"
+          fi
+      volumeMounts:
+        - name: superset-venv
+          mountPath: /venv-target
+      securityContext:
+        runAsUser: 0
+
 # Superset node configuration
 supersetNode:
  replicaCount: 1
+
+  # Security context for Pod Security Standards (baseline)
+  podSecurityContext:
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+    seccompProfile:
+      type: RuntimeDefault
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+  initContainers:
+    - name: copy-venv
+      image: apachesuperset.docker.scarf.sh/apache/superset:5.0.0
+      command:
+        - sh
+        - -c
+        - |
+          if [ ! -d /venv-target/lib ]; then
+            echo "Copying .venv to emptyDir..."
+            cp -a /app/.venv/. /venv-target/
+            chown -R 1000:1000 /venv-target
+          else
+            echo ".venv already initialized"
+          fi
+      volumeMounts:
+        - name: superset-venv
+          mountPath: /venv-target
+      securityContext:
+        runAsUser: 0
+
  connections:
    # Redis configuration
    redis_host: superset-redis-headless
@@ -47,6 +126,45 @@ supersetNode:
 supersetWorker:
  replicaCount: 1

+  # Security context for Pod Security Standards (baseline)
+  podSecurityContext:
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+    seccompProfile:
+      type: RuntimeDefault
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+  initContainers:
+    - name: copy-venv
+      image: apachesuperset.docker.scarf.sh/apache/superset:5.0.0
+      command:
+        - sh
+        - -c
+        - |
+          if [ ! -d /venv-target/lib ]; then
+            echo "Copying .venv to emptyDir..."
+            cp -a /app/.venv/. /venv-target/
+            chown -R 1000:1000 /venv-target
+          else
+            echo ".venv already initialized"
+          fi
+      volumeMounts:
+        - name: superset-venv
+          mountPath: /venv-target
+      securityContext:
+        runAsUser: 0
+
 # Database configuration (use existing PostgreSQL)
 postgresql:
  enabled: false
@@ -65,6 +183,26 @@ redis:
  master:
    persistence:
      enabled: false
+    # Security context for Pod Security Standards (restricted)
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
+      fsGroupChangePolicy: OnRootMismatch
+      seccompProfile:
+        type: RuntimeDefault
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+          - ALL

 # Extra environment variables
 extraEnv:
@@ -170,3 +308,16 @@ bootstrapScript: |
  #!/bin/bash
  uv pip install psycopg2-binary sqlalchemy-trino authlib
  if [ ! -f ~/bootstrap ]; then echo "Bootstrap complete" > ~/bootstrap; fi
+
+# Extra volumes and volume mounts for cache directories and venv
+extraVolumes:
+  - name: superset-cache
+    emptyDir: {}
+  - name: superset-venv
+    emptyDir: {}
+
+extraVolumeMounts:
+  - name: superset-cache
+    mountPath: /app/superset_home/.cache
+  - name: superset-venv
+    mountPath: /app/.venv