chore: secure deploy
This commit is contained in:
@@ -20,6 +20,12 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 2000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
terminationGracePeriodSeconds: 3
|
||||||
containers:
|
containers:
|
||||||
- image: noaas
|
- image: noaas
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
@@ -31,6 +37,8 @@ spec:
|
|||||||
httpGet:
|
httpGet:
|
||||||
path: /health
|
path: /health
|
||||||
port: 3000
|
port: 3000
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 20
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 1
|
cpu: 1
|
||||||
@@ -45,3 +53,10 @@ spec:
|
|||||||
- all
|
- all
|
||||||
privileged: false
|
privileged: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: ScheduleAnyway
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: noaas
|
||||||
|
|||||||
@@ -7,6 +7,7 @@ resources:
|
|||||||
- service.yaml
|
- service.yaml
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
- netpol.yaml
|
- netpol.yaml
|
||||||
|
- pdb.yaml
|
||||||
images:
|
images:
|
||||||
- name: noaas
|
- name: noaas
|
||||||
newName: <my-harbor-url>/library/no-as-a-service
|
newName: <my-harbor-url>/library/no-as-a-service
|
||||||
|
|||||||
9
deploy/pdb.yaml
Normal file
9
deploy/pdb.yaml
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: noaas-pdb
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: noaas
|
||||||
Reference in New Issue
Block a user