Update Kubernetes manifests with 'securityContext' and optimize configurations

[SonOfLope]

We need to update all our Kubernetes manifests (mainly deployments for client apps) to include securityContext and optimize our configurations. This includes, but is not limited to, adding resource limits and other best practices. The goal is to ensure our deployments meet current security and performance standards.

TODO:

1. Add securityContext to Each Manifest

   • Include security configurations such as runAsUser, runAsGroup, and fsGroup.
   • Include parameters like readOnlyRootFilesystem, allowPrivilegeEscalation, etc.
   • Example configurations:
   • Example configurations:

     securityContext:
       runAsUser: 1000
       runAsGroup: 3000
       fsGroup: 2000
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false

2. Define Resource Limits for Each Container

   • Add resources requests and limits for CPU and memory based on application needs.
   • Example configurations:

     resources:
       requests:
         memory: "256Mi"
         cpu: "500m"
       limits:
         memory: "512Mi"
         cpu: "1000m"

3. Add Pod Disruption Budgets (PDB)

   • Define PDBs to ensure high availability during voluntary disruptions.
   • Example configurations:

   apiVersion: policy/v1
   kind: PodDisruptionBudget
   metadata:
     name: nachet-backend-pdb
   spec:
     minAvailable: 1
     selector:
       matchLabels:
         app: nachet-backend

4. Set Affinity and Anti-affinity Rules

   • Define rules to spread or group pods across nodes.
   • Example configurations:

   affinity:
     podAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
         - labelSelector:
             matchExpressions:
               - key: app
                 operator: In
                 values:
                   - nachet-backend
           topologyKey: "kubernetes.io/hostname"
     podAntiAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
         - labelSelector:
             matchExpressions:
               - key: app
                 operator: In
                 values:
                   - nachet-backend
           topologyKey: "kubernetes.io/hostname"

5. Implement Role-Based Access Control (RBAC)

   • Define roles and role bindings to enforce the principle of least privilege.
   • Example configurations:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     namespace: nachet
     name: pod-reader
   rules:
   - apiGroups: [""] 
     resources: ["pods"]
     verbs: ["get", "watch", "list"]

   • Create the RoleBinding to bind the Role to the Azure AD group (we have to evaluate if this is possible)
   • Example configuration :

   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: read-pods-binding
     namespace: nachet
   subjects:
   - kind: Group
     name: azure-ad-group
     apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: Role
     name: pod-reader
     apiGroup: rbac.authorization.k8s.io

6. Test updated manifests

7. Document Changes

   • Update internal documentation with new practices and configurations.

Tasks are to be done per deployments :

• : Update ailab deployment with security and resources configuration #296
• : Update bytebase deployment with security and resources configuration #303
• : Update finesse deployment with security and resources configuration #300
• : Update librechat deployment with security and resources configuration #304
• : Update louis deployment with security and resources configuration #297
• : Update nachet deployment with security and resources configuration #298

[ThomasCardin]

Maybe we can also add:

• PDB
• Affinity and Anti-affinity rules
• RBAC