Fix sec context and resources for performance jobs (#14529)

* fix sec ctx for performance jobs * fix lint
knative · Oct 19, 2023 · 9896079 · 9896079
1 parent 707d286
commit 9896079
Show file tree

Hide file tree

Showing 15 changed files with 181 additions and 4 deletions.
diff --git a/test/performance/benchmarks/dataplane-probe/dataplane-probe-activator.yaml b/test/performance/benchmarks/dataplane-probe/dataplane-probe-activator.yaml
@@ -75,3 +75,15 @@ spec:
             requests:
               cpu: 1000m
               memory: 3Gi
+            limits:
+              cpu: 1000m
+              memory: 3Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
diff --git a/test/performance/benchmarks/dataplane-probe/dataplane-probe-deployment.yaml b/test/performance/benchmarks/dataplane-probe/dataplane-probe-deployment.yaml
@@ -75,4 +75,15 @@ spec:
             requests:
               cpu: 1000m
               memory: 3Gi
----
+            limits:
+              cpu: 1000m
+              memory: 3Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
diff --git a/test/performance/benchmarks/dataplane-probe/dataplane-probe-queue.yaml b/test/performance/benchmarks/dataplane-probe/dataplane-probe-queue.yaml
@@ -75,4 +75,13 @@ spec:
             requests:
               cpu: 1000m
               memory: 3Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
 ---
diff --git a/test/performance/benchmarks/load-test/load-test-0-direct.yaml b/test/performance/benchmarks/load-test/load-test-0-direct.yaml
@@ -77,4 +77,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/load-test/load-test-200-direct.yaml b/test/performance/benchmarks/load-test/load-test-200-direct.yaml
@@ -77,4 +77,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/load-test/load-test-always-direct.yaml b/test/performance/benchmarks/load-test/load-test-always-direct.yaml
@@ -77,4 +77,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/real-traffic-test/real-traffic-test.yaml b/test/performance/benchmarks/real-traffic-test/real-traffic-test.yaml
@@ -78,4 +78,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 2Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/reconciliation-delay/reconciliation-delay.yaml b/test/performance/benchmarks/reconciliation-delay/reconciliation-delay.yaml
@@ -49,9 +49,6 @@ spec:
         args:
         - "-duration=15m"
         - "-frequency=5s"
-        resources:
-          requests:
-            cpu: 100m
         env:
           - name: KO_DOCKER_REPO
             value: $KO_DOCKER_REPO
@@ -85,4 +82,20 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.uid
+        resources:
+          requests:
+            cpu: 100m
+            memory: 500Mi
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/rollout-probe/rollout-probe-activator-direct-lin.yaml b/test/performance/benchmarks/rollout-probe/rollout-probe-activator-direct-lin.yaml
@@ -76,4 +76,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/rollout-probe/rollout-probe-activator-direct.yaml b/test/performance/benchmarks/rollout-probe/rollout-probe-activator-direct.yaml
@@ -76,4 +76,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/rollout-probe/rollout-probe-queue-proxy-direct.yaml b/test/performance/benchmarks/rollout-probe/rollout-probe-queue-proxy-direct.yaml
@@ -76,4 +76,16 @@ spec:
           requests:
             cpu: 1000m
             memory: 3Gi
+          limits:
+            cpu: 1000m
+            memory: 3Gi
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
       restartPolicy: Never
diff --git a/test/performance/benchmarks/scale-from-zero/scale-from-zero-1.yaml b/test/performance/benchmarks/scale-from-zero/scale-from-zero-1.yaml
@@ -76,5 +76,17 @@ spec:
             requests:
               cpu: 1000m
               memory: 3Gi
+            limits:
+              cpu: 1000m
+              memory: 3Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
       restartPolicy: Never
 ---
diff --git a/test/performance/benchmarks/scale-from-zero/scale-from-zero-100.yaml b/test/performance/benchmarks/scale-from-zero/scale-from-zero-100.yaml
@@ -76,5 +76,17 @@ spec:
             requests:
               cpu: 1500m
               memory: 6Gi
+            limits:
+              cpu: 1500m
+              memory: 6Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
       restartPolicy: Never
 ---
diff --git a/test/performance/benchmarks/scale-from-zero/scale-from-zero-25.yaml b/test/performance/benchmarks/scale-from-zero/scale-from-zero-25.yaml
@@ -76,5 +76,17 @@ spec:
             requests:
               cpu: 1000m
               memory: 4Gi
+            limits:
+              cpu: 1000m
+              memory: 4Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
       restartPolicy: Never
 ---
diff --git a/test/performance/benchmarks/scale-from-zero/scale-from-zero-5.yaml b/test/performance/benchmarks/scale-from-zero/scale-from-zero-5.yaml
@@ -76,5 +76,17 @@ spec:
             requests:
               cpu: 1000m
               memory: 3Gi
+            limits:
+              cpu: 1000m
+              memory: 3Gi
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
       restartPolicy: Never
 ---