chore(langfuse): set pod security standards

langfuse/README.md

@@ -325,6 +325,7 @@ Key configuration files:
 
 ## Security Considerations
 
+- **Pod Security Standards**: Namespace configured with **restricted** enforcement
 - **Secrets Management**: All credentials stored in Vault and synced via External Secrets Operator
 - **OIDC Authentication**: No local password storage, authentication delegated to Keycloak
 - **API Key Security**: Keys are hashed and stored securely in PostgreSQL
@@ -332,6 +333,20 @@ Key configuration files:
 - **Network Isolation**: Internal services communicate via cluster network
 - **Database Credentials**: Unique user per application with minimal privileges
 
+### Pod Security Standards
+
+The Langfuse namespace is configured with **restricted** Pod Security Standards:
+
+- `pod-security.kubernetes.io/enforce=restricted`
+- `pod-security.kubernetes.io/warn=restricted`
+
+All pods (Langfuse web, worker, and Valkey) run with restricted-compliant security contexts:
+
+- `runAsNonRoot: true` - Prevents containers from running as root
+- `allowPrivilegeEscalation: false` - Blocks privilege escalation
+- `seccompProfile.type: RuntimeDefault` - Enables seccomp filtering
+- `capabilities.drop: [ALL]` - Drops all Linux capabilities
+
 ## References
 
 - [Langfuse Documentation](https://langfuse.com/docs)

langfuse/justfile

@@ -1,7 +1,7 @@
 set fallback := true
 
 export LANGFUSE_NAMESPACE := env("LANGFUSE_NAMESPACE", "langfuse")
-export LANGFUSE_CHART_VERSION := env("LANGFUSE_CHART_VERSION", "1.5.10")
+export LANGFUSE_CHART_VERSION := env("LANGFUSE_CHART_VERSION", "1.5.12")
 export LANGFUSE_HOST := env("LANGFUSE_HOST", "")
 export LANGFUSE_OIDC_CLIENT_ID := env("LANGFUSE_OIDC_CLIENT_ID", "langfuse")
 export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
@@ -26,8 +26,17 @@ remove-helm-repo:
 
 # Create Langfuse namespace
 create-namespace:
-    kubectl get namespace ${LANGFUSE_NAMESPACE} &>/dev/null || \
+    #!/bin/bash
+    set -euo pipefail
+    if ! kubectl get namespace ${LANGFUSE_NAMESPACE} &>/dev/null; then
         kubectl create namespace ${LANGFUSE_NAMESPACE}
+    fi
+    kubectl label namespace ${LANGFUSE_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted \
+        pod-security.kubernetes.io/enforce-version=latest \
+        pod-security.kubernetes.io/warn=restricted \
+        pod-security.kubernetes.io/warn-version=latest \
+        --overwrite
 
 # Delete Langfuse namespace
 delete-namespace:

langfuse/langfuse-values.gomplate.yaml

@@ -1,4 +1,21 @@
 langfuse:
+  # Pod Security Context (restricted PSS compliant)
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container Security Context (restricted PSS compliant)
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: false
+
   salt:
     value: {{ .Env.LANGFUSE_SALT }}
   features: