Improve kepler-check pod security per snyk scan

Signed-off-by: Scott Trent <[email protected]>
sustainable-computing-io · Sep 10, 2024 · e079d6c · e079d6c
1 parent fd30186
commit e079d6c
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/deployment/kepler-check.yaml b/deployment/kepler-check.yaml
@@ -7,10 +7,27 @@ spec:
     automountServiceAccountToken: true
     terminationGracePeriodSeconds: 1
     restartPolicy: Never
+    securityContext:
+        runAsUser: 10001
+        runAsGroup: 10001
     containers:
         - name: container
           image: curlimages/curl
           imagePullPolicy: IfNotPresent
+          securityContext:
+              allowPrivilegeEscalation: false
+              runAsNonRoot: true
+              readOnlyRootFilesystem: true
+              capabilities:
+                  drop:
+                      - "ALL"
+          resources:
+              limits:
+                  cpu: 500m
+                  memory: 512Mi
+              requests:
+                  cpu: 250m
+                  memory: 512Mi
           command: ["sh"]
           args: ["-c", 'curl -k --max-time 1 KEPLER_PROMETHEUS_URL -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"']
     dnsPolicy: ClusterFirst