fix: Potential Denial of Service via unrestricted CPU/memory and root user execution (#5203)

zyue110026 · PriteshKiri · web-flow · commit c0532780b5bb · 2025-10-15T17:29:16.000+05:30
* fix: hostPID set to false

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;

* fix: hostPID set to false

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;

* fix: Potential Denial of Service via unrestricted CPU/memory and root user execution

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;

* fix: Potential Denial of Service via unrestricted CPU/memory and root user execution

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;

* fix: Potential Denial of Service via unrestricted CPU/memory and root user execution

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;

---------

Signed-off-by: zyue110026 &lt;98426905+zyue110026@users.noreply.github.com&gt;
Co-authored-by: Pritesh Kiri &lt;77957844+PriteshKiri@users.noreply.github.com&gt;
diff --git a/monitoring/utils/grafana/deployment.yaml b/monitoring/utils/grafana/deployment.yaml
@@ -18,6 +18,17 @@ spec:
         - image: grafana/grafana:latest
           imagePullPolicy: Always
           name: grafana
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           ports:
             - containerPort: 3000
               name: grafana
diff --git a/monitoring/utils/metrics-exporters-with-service-monitors/litmus-metrics/chaos-exporter/chaos-exporter.yaml b/monitoring/utils/metrics-exporters-with-service-monitors/litmus-metrics/chaos-exporter/chaos-exporter.yaml
@@ -28,6 +28,17 @@ spec:
           env:
             - name: TSDB_SCRAPE_INTERVAL
               value: '10'
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           # uncomment the following lines to use the litmuschaos exporter for monitoring the chaos events and chaosresults for a selected namespace
           # - name: WATCH_NAMESPACE
           #   value: 'litmus'
diff --git a/monitoring/utils/metrics-exporters-with-service-monitors/mysqld-exporter/deployment.yaml b/monitoring/utils/metrics-exporters-with-service-monitors/mysqld-exporter/deployment.yaml
@@ -31,6 +31,17 @@ spec:
             - '--collect.engine_innodb_status'
             - '--collect.slave_hosts'
           name: mysql-exporter
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           ports:
             - containerPort: 9104
               name: mysql-metrics
