From d02701d5c1f133e35c3a06d3c64a19f21f86b8fd Mon Sep 17 00:00:00 2001 From: Masaki Yatsu Date: Mon, 1 Dec 2025 17:22:00 +0900 Subject: [PATCH] chore(langfuse): set pod security standards --- langfuse/README.md | 15 +++++++++++++++ langfuse/justfile | 13 +++++++++++-- langfuse/langfuse-values.gomplate.yaml | 17 +++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/langfuse/README.md b/langfuse/README.md index eecf1b7..8db09e3 100644 --- a/langfuse/README.md +++ b/langfuse/README.md @@ -325,6 +325,7 @@ Key configuration files: ## Security Considerations +- **Pod Security Standards**: Namespace configured with **restricted** enforcement - **Secrets Management**: All credentials stored in Vault and synced via External Secrets Operator - **OIDC Authentication**: No local password storage, authentication delegated to Keycloak - **API Key Security**: Keys are hashed and stored securely in PostgreSQL @@ -332,6 +333,20 @@ Key configuration files: - **Network Isolation**: Internal services communicate via cluster network - **Database Credentials**: Unique user per application with minimal privileges +### Pod Security Standards + +The Langfuse namespace is configured with **restricted** Pod Security Standards: + +- `pod-security.kubernetes.io/enforce=restricted` +- `pod-security.kubernetes.io/warn=restricted` + +All pods (Langfuse web, worker, and Valkey) run with restricted-compliant security contexts: + +- `runAsNonRoot: true` - Prevents containers from running as root +- `allowPrivilegeEscalation: false` - Blocks privilege escalation +- `seccompProfile.type: RuntimeDefault` - Enables seccomp filtering +- `capabilities.drop: [ALL]` - Drops all Linux capabilities + ## References - [Langfuse Documentation](https://langfuse.com/docs) diff --git a/langfuse/justfile b/langfuse/justfile index 2c73964..5014ec7 100644 --- a/langfuse/justfile +++ b/langfuse/justfile @@ -1,7 +1,7 @@ set fallback := true export LANGFUSE_NAMESPACE := env("LANGFUSE_NAMESPACE", "langfuse") -export LANGFUSE_CHART_VERSION := env("LANGFUSE_CHART_VERSION", "1.5.10") +export LANGFUSE_CHART_VERSION := env("LANGFUSE_CHART_VERSION", "1.5.12") export LANGFUSE_HOST := env("LANGFUSE_HOST", "") export LANGFUSE_OIDC_CLIENT_ID := env("LANGFUSE_OIDC_CLIENT_ID", "langfuse") export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets") @@ -26,8 +26,17 @@ remove-helm-repo: # Create Langfuse namespace create-namespace: - kubectl get namespace ${LANGFUSE_NAMESPACE} &>/dev/null || \ + #!/bin/bash + set -euo pipefail + if ! kubectl get namespace ${LANGFUSE_NAMESPACE} &>/dev/null; then kubectl create namespace ${LANGFUSE_NAMESPACE} + fi + kubectl label namespace ${LANGFUSE_NAMESPACE} \ + pod-security.kubernetes.io/enforce=restricted \ + pod-security.kubernetes.io/enforce-version=latest \ + pod-security.kubernetes.io/warn=restricted \ + pod-security.kubernetes.io/warn-version=latest \ + --overwrite # Delete Langfuse namespace delete-namespace: diff --git a/langfuse/langfuse-values.gomplate.yaml b/langfuse/langfuse-values.gomplate.yaml index 67305ec..0a089c5 100644 --- a/langfuse/langfuse-values.gomplate.yaml +++ b/langfuse/langfuse-values.gomplate.yaml @@ -1,4 +1,21 @@ langfuse: + # Pod Security Context (restricted PSS compliant) + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + + # Container Security Context (restricted PSS compliant) + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + salt: value: {{ .Env.LANGFUSE_SALT }} features: