From b521c23e709513ed020088ba540f539948fe3c89 Mon Sep 17 00:00:00 2001
From: Diego Najar <dignajar@gmail.com>
Date: Wed, 23 Jun 2021 10:02:57 +0200
Subject: [PATCH] Improve security context for the k8s manifest

---
 files/logic.py       |  4 ++--
 kubernetes/full.yaml | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/files/logic.py b/files/logic.py
index c9e216b..e09f73b 100644
--- a/files/logic.py
+++ b/files/logic.py
@@ -57,7 +57,7 @@ def execute(self):
 						startReplicas = 1
 						startReplicasAnnotation = 'another-scheduler.io/start-replicas'
 						if startReplicasAnnotation in deployAnnotations:
-							self.logs.debug({'message': 'Start replicas defined by the user.', 'namespace': namespaceName, 'deployment': deployName, 'replicas': deployAnnotations[startReplicasAnnotation]})
+							self.logs.debug({'message': 'Replicas defined by the user for start.', 'namespace': namespaceName, 'deployment': deployName, 'replicas': deployAnnotations[startReplicasAnnotation]})
 							startReplicas = int(deployAnnotations[startReplicasAnnotation])
 
 						if deploy.spec.replicas != startReplicas:
@@ -80,7 +80,7 @@ def execute(self):
 						stopReplicas = 0
 						stopReplicasAnnotation = 'another-scheduler.io/stop-replicas'
 						if stopReplicasAnnotation in deployAnnotations:
-							self.logs.debug({'message': 'Stop replicas defined by the user.', 'namespace': namespaceName, 'deployment': deployName, 'replicas': deployAnnotations[stopReplicasAnnotation]})
+							self.logs.debug({'message': 'Replicas defined by the user for stop.', 'namespace': namespaceName, 'deployment': deployName, 'replicas': deployAnnotations[stopReplicasAnnotation]})
 							stopReplicas = int(deployAnnotations[stopReplicasAnnotation])
 
 						if deploy.spec.replicas != stopReplicas:
diff --git a/kubernetes/full.yaml b/kubernetes/full.yaml
index daf49c6..254092a 100644
--- a/kubernetes/full.yaml
+++ b/kubernetes/full.yaml
@@ -69,6 +69,17 @@ spec:
         - configMapRef:
             name: another-scheduler
         securityContext:
-          readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 10000
\ No newline at end of file
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 10001
+          capabilities:
+            drop:
+              - ALL
+        resources:
+          limits:
+            cpu: 300m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
\ No newline at end of file