Add SCC security contexts and resource limits for optimizer and UI

[shekhar316]

Documenting changes done for catalogathon

• Added pod and container security contexts for OpenShift SCC compatibility
• Added security context to init containers (AllowPrivilegeEscalation=false, drop ALL capabilities)
• Added security context to main containers (AllowPrivilegeEscalation=false, drop ALL capabilities, RunAsNonRoot=true)
• Added resource requests and limits for optimizer deployment (CPU: 200m-500m, Memory: 256Mi-512Mi)
• Added resource requests and limits for UI deployment (CPU: 100m-200m, Memory: 128Mi-256Mi)
• Applied changes to both OpenShift and Kubernetes deployments

Summary by Sourcery

Harden Kruize deployments and define resource constraints for optimizer and UI workloads across OpenShift and Kubernetes manifests.

Enhancements:

• Add pod-level and container-level security contexts to Kruize deployments for OpenShift and Kubernetes, including non-root execution and default seccomp profile.
• Apply restrictive security settings to init and main containers by disabling privilege escalation and dropping all Linux capabilities.
• Define CPU and memory requests/limits for the Kruize optimizer deployment to ensure predictable resource usage.
• Define CPU and memory requests/limits for the Kruize UI nginx deployment to ensure predictable resource usage across environments.

[sourcery-ai]

Reviewer's Guide

Adds pod/container security contexts for SCC/PSA compatibility and defines CPU/memory requests & limits for optimizer and UI deployments in both OpenShift and vanilla Kubernetes generators.

Updated class diagram for KruizeResourceGenerator deployment specs

classDiagram
    class KruizeResourceGenerator {
        +string Autotune_image
        +string Autotune_ui_image
        +appsv1_Deployment kruizeDeployment()
        +appsv1_Deployment kruizeDeploymentKubernetes()
        +appsv1_Deployment kruizeOptimizerDeployment()
        +appsv1_Deployment kruizeUINginxDeployment()
    }

    class appsv1_Deployment {
        +ObjectMeta metadata
        +DeploymentSpec spec
    }

    class DeploymentSpec {
        +PodTemplateSpec template
    }

    class PodTemplateSpec {
        +PodSpec spec
    }

    class PodSpec {
        +string ServiceAccountName
        +PodSecurityContext SecurityContext
        +Container[] InitContainers
        +Container[] Containers
    }

    class PodSecurityContext {
        +bool RunAsNonRoot
        +SeccompProfile SeccompProfile
    }

    class SeccompProfile {
        +string Type
    }

    class Container {
        +string Name
        +string Image
        +string ImagePullPolicy
        +SecurityContext SecurityContext
        +VolumeMount[] VolumeMounts
        +ContainerPort[] Ports
        +ResourceRequirements Resources
        +EnvVar[] Env
    }

    class SecurityContext {
        +bool AllowPrivilegeEscalation
        +Capabilities Capabilities
        +bool RunAsNonRoot
    }

    class Capabilities {
        +Capability[] Drop
    }

    class ResourceRequirements {
        +ResourceList Requests
        +ResourceList Limits
    }

    KruizeResourceGenerator --> appsv1_Deployment : creates
    appsv1_Deployment --> DeploymentSpec
    DeploymentSpec --> PodTemplateSpec
    PodTemplateSpec --> PodSpec
    PodSpec --> PodSecurityContext
    PodSpec --> Container : InitContainers
    PodSpec --> Container : Containers
    PodSecurityContext --> SeccompProfile
    Container --> SecurityContext
    SecurityContext --> Capabilities
    Container --> ResourceRequirements

Loading

File-Level Changes

Change	Details	Files
Harden Kruize pod security configuration for OpenShift-generated deployment.	Set PodSecurityContext with RunAsNonRoot=true and seccompProfile=RuntimeDefault on the Kruize Deployment pod spec Add SecurityContext to the init container to disallow privilege escalation, drop all capabilities, and enforce non-root user Add SecurityContext to the main Kruize container to disallow privilege escalation, drop all capabilities, and enforce non-root user	internal/utils/kruize_generator.go
Define resource requests and limits for the optimizer container.	Configure CPU requests/limits (200m/500m) for the optimizer container Configure memory requests/limits (256Mi/512Mi) for the optimizer container	internal/utils/kruize_generator.go
Define resource requests and limits for the UI Nginx container.	Configure CPU requests/limits (100m/200m) for the UI container Configure memory requests/limits (128Mi/256Mi) for the UI container	internal/utils/kruize_generator.go
Harden Kruize pod security configuration for Kubernetes-generated deployment.	Set PodSecurityContext with RunAsNonRoot=true and seccompProfile=RuntimeDefault on the Kubernetes Kruize Deployment pod spec Add SecurityContext to the init container to disallow privilege escalation, drop all capabilities, and enforce non-root user Add SecurityContext to the main Kruize container to disallow privilege escalation, drop all capabilities, and enforce non-root user	internal/utils/kruize_generator.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.