chore: secure deploy

2025-09-02 10:30:08 +02:00
parent 6f452a2c93
commit a63cf97638
3 changed files with 25 additions and 0 deletions
@@ -20,6 +20,12 @@ spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 3
      containers:
        - image: noaas
          imagePullPolicy: IfNotPresent
@@ -31,6 +37,8 @@ spec:
            httpGet:
              path: /health
              port: 3000
+            initialDelaySeconds: 15
+            periodSeconds: 20
          resources:
            limits:
              cpu: 1
@@ -45,3 +53,10 @@ spec:
                - all
            privileged: false
            readOnlyRootFilesystem: true
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: noaas