Skip to content

modified k8s manifests for minikube compatibility and project needs #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abhay41 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

modified k8s manifests for minikube compatibility and project needs #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
267 changes: 0 additions & 267 deletions k8s/README.md
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions k8s/backend-deployment.yaml
View file
Open in desktop

This file was deleted.

33 changes: 33 additions & 0 deletions k8s/backend-deployment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend-deployment
namespace: chat-app
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
name: backend-pod
labels:
app: backend
spec:
containers:
- name: chat-backend
image: abhay41/chatapp-backend:latest
ports:
- containerPort: 5001
Comment on lines +17 to +21
Copy link

@coderabbitai coderabbitai bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add a securityContext to drop root privileges and disallow privilege escalation.
Static analysis (CKV_K8S_20 / 23) flags the container as running as root. Harden it:

       containers:
         - name: chat-backend
           image: abhay41/chatapp-backend:latest
+          securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           ports:
             - containerPort: 5001
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
containers:
- name: chat-backend
image: abhay41/chatapp-backend:latest
ports:
- containerPort: 5001
containers:
- name: chat-backend
image: abhay41/chatapp-backend:latest
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
ports:
- containerPort: 5001
🤖 Prompt for AI Agents 
In k8s/backend-deployment.yml around lines 17 to 21, the container definition
lacks a securityContext to prevent running as root and disallow privilege
escalation. Add a securityContext section under the container spec with
runAsNonRoot set to true, runAsUser set to a non-root user ID (e.g., 1000), and
allowPrivilegeEscalation set to false to harden the container's security
posture.

env:
- name: NODE_ENV
value: "production"
- name: MONGODB_URI
value: "mongodb://root:admin@mongodb-service:27017/chatApp?authSource=admin&retryWrites=true&w=majority"
Comment on lines +25 to +26
Copy link

@coderabbitai coderabbitai bot Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Hard-coded DB credentials leak secrets – move the entire URI to a Secret.
Shipping root:admin in plain text violates basic 12-factor & K8s security guidelines and is caught by CKV_SECRET_4. Mount the connection string via valueFrom.secretKeyRef (or split user/pass into two keys) and delete the literal.

-            - name: MONGODB_URI
-              value: "mongodb://root:admin@mongodb-service:27017/chatApp?authSource=admin&retryWrites=true&w=majority"
+            - name: MONGODB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: chatapp-secrets
+                  key: mongodb-uri
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: MONGODB_URI
value: "mongodb://root:admin@mongodb-service:27017/chatApp?authSource=admin&retryWrites=true&w=majority"
- name: MONGODB_URI
valueFrom:
secretKeyRef:
name: chatapp-secrets
key: mongodb-uri
🤖 Prompt for AI Agents 
In k8s/backend-deployment.yml at lines 25 to 26, the MongoDB URI with hard-coded
credentials is exposed as plain text. To fix this, remove the literal URI from
the value field and instead reference it securely using valueFrom.secretKeyRef,
pointing to a Kubernetes Secret that stores the connection string. Create or
update the Secret to hold the URI or separate user and password keys, then mount
these securely in the deployment manifest.

- name: PORT
value: "5001"
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: chatapp-secrets
key: jwt
8 changes: 0 additions & 8 deletions k8s/backend-secrets.yaml
View file
Open in desktop

This file was deleted.

8 changes: 3 additions & 5 deletions k8s/backend-service.yaml → k8s/backend-service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
apiVersion: v1
kind: Service
metadata:
metadata:
name: backend
namespace: chat-app
spec:
selector:
app: backend
ports:
- protocol: TCP
port: 5001
targetPort: 5001
nodePort: 30501
type: NodePort
port: 5001 # Port exposed inside the cluster
targetPort: 5001 # Matches container port
Loading