From d036c479d3e97ed5adc221503630ec1b219bd353 Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Sun, 23 Nov 2025 15:02:24 +0900
Subject: [PATCH] chore(postgres): set pod security standards

---
 postgres/cnpg-values.yaml                     | 31 +++++++++++++++----
 postgres/justfile                             |  5 ++-
 .../postgres-cluster-values.gomplate.yaml     |  4 +++
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/postgres/cnpg-values.yaml b/postgres/cnpg-values.yaml
index 2175a03..7311946 100644
--- a/postgres/cnpg-values.yaml
+++ b/postgres/cnpg-values.yaml
@@ -1,7 +1,26 @@
+# Pod Security Context for restricted Pod Security Standards
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  fsGroup: 10001
+
+# Container Security Context for restricted Pod Security Standards
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
+
 resources:
-    requests:
-        cpu: 50m
-        memory: 128Mi
-    limits:
-        cpu: 100m
-        memory: 256Mi
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 100m
+    memory: 256Mi
diff --git a/postgres/justfile b/postgres/justfile
index b06b730..e22dd7d 100644
--- a/postgres/justfile
+++ b/postgres/justfile
@@ -1,7 +1,7 @@
 set fallback := true
 
 export CNPG_NAMESPACE := env("CNPG_NAMESPACE", "postgres")
-export CNPG_CHART_VERSION := env("CNPG_CHART_VERSION", "0.26.0")
+export CNPG_CHART_VERSION := env("CNPG_CHART_VERSION", "0.26.1")
 export CNPG_CLUSTER_CHART_VERSION := env("CNPG_CLUSTER_CHART_VERSION", "0.3.1")
 export POSTGRES_STORAGE_SIZE := env("POSTGRES_STORAGE_SIZE", "20Gi")
 export POSTGRES_MAX_CONNECTIONS := env("POSTGRES_MAX_CONNECTIONS", "200")
@@ -39,6 +39,9 @@ install-cnpg:
         -n ${CNPG_NAMESPACE} --create-namespace --wait \
         -f cnpg-values.yaml
 
+    @kubectl label namespace ${CNPG_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
 # Uninstall CloudNativePG
 uninstall-cnpg:
     @helm uninstall cnpg -n ${CNPG_NAMESPACE} --wait
diff --git a/postgres/postgres-cluster-values.gomplate.yaml b/postgres/postgres-cluster-values.gomplate.yaml
index 52cf6a3..f13b350 100644
--- a/postgres/postgres-cluster-values.gomplate.yaml
+++ b/postgres/postgres-cluster-values.gomplate.yaml
@@ -1,6 +1,10 @@
 cluster:
   instances: 1
 
+  # Security configuration for restricted Pod Security Standards
+  seccompProfile:
+    type: RuntimeDefault
+
   # Resource configuration (Guaranteed QoS)
   resources:
     requests: