devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/deploy/prod-pod.yml
continuist 411d9f3f35
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
Details
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
Details
Improve security for production podman
2025-09-06 13:15:05 -04:00

185 lines
No EOL
4.2 KiB
YAML
Raw Blame History

apiVersion: v1
kind: Pod
metadata:
name: prod-pod
labels:
app: sharenet-production
annotations:
io.containers.no-new-privileges: "true"
spec:
hostname: prod-pod
# Security: run as non-root user with specific UID/GID
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: postgres
image: localhost/postgres:deployed
# Security: drop all capabilities, read-only root filesystem except data volume
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
envFrom:
- secretRef:
name: postgres-secrets
ports:
- containerPort: 5432
protocol: TCP
volumeMounts:
- name: pgdata
mountPath: /var/lib/postgresql/data
readOnly: false
# Health checks
livenessProbe:
exec:
command: ["pg_isready", "-U", "sharenet"]
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
exec:
command: ["pg_isready", "-U", "sharenet"]
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
# Resource limits
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
- name: backend
image: localhost/backend:deployed
# Security: drop all capabilities, read-only root filesystem
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
envFrom:
- secretRef:
name: backend-secrets
ports:
- containerPort: 3001
protocol: TCP
# Health checks
livenessProbe:
httpGet:
path: /health
port: 3001
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 3001
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
# Resource limits
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "250m"
- name: frontend
image: localhost/frontend:deployed
# Security: drop all capabilities, read-only root filesystem
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
envFrom:
- secretRef:
name: frontend-secrets
ports:
- containerPort: 3000
protocol: TCP
# Resource limits
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "250m"
- name: nginx
image: localhost/nginx:deployed
# Security: drop all capabilities, read-only root filesystem
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
ports:
- containerPort: 80
protocol: TCP
hostPort: 80
- containerPort: 443
protocol: TCP
hostPort: 443
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
- name: nginx-cache
mountPath: /var/cache/nginx
readOnly: false
- name: letsencrypt
mountPath: /etc/letsencrypt
readOnly: true
# Health check
livenessProbe:
httpGet:
path: /healthz
port: 80
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
# Resource limits
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"
volumes:
- name: pgdata
hostPath:
path: /opt/sharenet/volumes/pgdata
type: Directory
- name: nginx-conf
hostPath:
path: /opt/sharenet/nginx
type: Directory
- name: nginx-cache
hostPath:
path: /opt/sharenet/volumes/nginx-cache
type: Directory
- name: letsencrypt
hostPath:
path: /etc/letsencrypt
type: Directory
Reference in a new issue View git blame Copy permalink