chore: secure deploy

deploy/deploy.yaml

@@ -20,6 +20,12 @@ spec:
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 3
       containers:
         - image: noaas
           imagePullPolicy: IfNotPresent
@@ -31,6 +37,8 @@ spec:
             httpGet:
               path: /health
               port: 3000
+            initialDelaySeconds: 15
+            periodSeconds: 20
           resources:
             limits:
               cpu: 1
@@ -45,3 +53,10 @@ spec:
                 - all
             privileged: false
             readOnlyRootFilesystem: true
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: noaas

deploy/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - service.yaml
 - ingress.yaml
 - netpol.yaml
+- pdb.yaml
 images:
 - name: noaas
   newName: <my-harbor-url>/library/no-as-a-service

deploy/pdb.yaml

@@ -0,0 +1,9 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: noaas-pdb
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: noaas