From 4ad94a898d7142122abbf486dc0bc147dd2e0b60 Mon Sep 17 00:00:00 2001
From: zyue110026 <98426905+zyue110026@users.noreply.github.com>
Date: Fri, 22 Aug 2025 17:59:09 -0500
Subject: [PATCH] Potential Denial of Service via unrestricted CPU/memory and
 root user execution (#187)

* Update node-exporter-daemonset.yaml

* Update prometheus-adapter-deployment.yaml

Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com>

* Update prometheus-adapter-deployment.yaml

* Update prometheus-adapter-deployment.yaml

Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com>

* Update node-exporter-daemonset.yaml

---------

Signed-off-by: zyue110026 <98426905+zyue110026@users.noreply.github.com>
---
 manifests/prometheus-adapter-deployment.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/manifests/prometheus-adapter-deployment.yaml b/manifests/prometheus-adapter-deployment.yaml
index b95f07d..b9632c8 100644
--- a/manifests/prometheus-adapter-deployment.yaml
+++ b/manifests/prometheus-adapter-deployment.yaml
@@ -29,6 +29,17 @@ spec:
         name: prometheus-adapter
         ports:
         - containerPort: 6443
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "250m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp
           name: tmpfs