Devops and Developer Resources

Welcome to my resources page. These are things that I constantly find myself looking up and double checking. I figured if I always need to double check these, other people probably do too. I hope you find something here useful. If you have a suggestion or correction, please feel free to contact me!

Disclaimer Statement

Disclaimer All information here is for reference. You are in charge of hardening your own environment. All resources here are intended to act as a starting point or a reminder of things to think about.

Table of Contents

• Secured Kubernetes Deployment Manifest
• Node Docker Image Running Under Non-default User
• Resilient Deployment Checklist

Secured Kubernetes Deployment Manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-name
  labels:
    app: example-app-label
spec:
  selector:
    matchLabels:
      app: example-app-label
  template:
    metadata:
      labels:
        app: example-app-label
    spec:
      #prevent pod from having access to your cluster
      automountServiceAccountToken: false
      containers:
      - name: example-container-name
        image: example-image-name:latest
        imagePullPolicy: IfNotPresent
        securityContext:
          #disable the ability for a process in your pod to escalate it's privileges
          allowPrivilegeEscalation: false
          #drop all linux system capabilities
          capabilities:
            drop: ["ALL"]

Node Docker Image Running Under Non-default User

FROM node:22-bookworm-slim AS production
WORKDIR /my-app

ENV NODE_ENV=production
# Run as non-root user
RUN addgroup --gid 2002 --system nodejs && \
    adduser --system --uid 2002 --gid 2002 nodejs

# Copy files from local, build layer, etc then update permissions
# adjust to the folder containing all your files if you prefer
COPY --chown=nodejs:nodejs /my-app/node_modules ./node_modules
COPY --chown=nodejs:nodejs /my-app/dist ./dist
COPY --chown=nodejs:nodejs /my-app/package.json ./package.json

USER nodejs
#update with whatever yours needs to be
CMD ["node", "/my-app/index.js"]

Resilient Deployment Checklist

• Application supports Health Checks. (May just be an http request)
• Application supports Readyness Checks. (May just be an http request)
• Define PreStop hook in deployment manifest
• Define terminationGracePeriodSeconds in deployment manifest
• Application Handles SIGTERM and SIGKILL