Potential Denial of Service via unrestricted CPU/memory and root user execution (#187)

* Update node-exporter-daemonset.yaml * Update prometheus-adapter-deployment.yaml Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com> * Update prometheus-adapter-deployment.yaml * Update prometheus-adapter-deployment.yaml Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com> * Update node-exporter-daemonset.yaml --------- Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com>
2025-08-27 13:46:16 +02:00 · 2025-08-22 17:59:09 -05:00 · 2025-08-22 17:59:09 -05:00 · 4ad94a898d
commit 4ad94a898d
parent 628b1ad6a9
1 changed files with 11 additions and 0 deletions
--- a/manifests/prometheus-adapter-deployment.yaml
+++ b/manifests/prometheus-adapter-deployment.yaml
@ -29,6 +29,17 @@ spec:
        name: prometheus-adapter
        ports:
        - containerPort: 6443
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /tmp
          name: tmpfs