Skip to content

merge #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Karamsandhu2516 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

merge #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5b3f5cd
chores: quoteapp updated
Dec 12, 2025
910c1c5
Modify deployment.yml for quotes-app settings
Karamsandhu2516 Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
# Use the official OpenJDK 17 image as the base image
FROM openjdk:17-jdk-alpine

# Set metadata
LABEL maintainer="trainwithshubham@gmail.com"
LABEL version="1.0"
LABEL description="A Java Quotes application"
# Dockerfile: Line 2 (Change this line)
Copy link

@coderabbitai coderabbitai bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove the debug/TODO comment before merging.

Line 2 contains "# Dockerfile: Line 2 (Change this line)", which appears to be a placeholder or debug artifact that should not be in production code.

Apply this diff to remove the debug comment:

-# Dockerfile: Line 2 (Change this line)
-FROM eclipse-temurin:21-jdk-alpine
+FROM eclipse-temurin:21-jdk-alpine
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Dockerfile: Line 2 (Change this line)
FROM eclipse-temurin:21-jdk-alpine
🤖 Prompt for AI Agents 
In Dockerfile around line 2, remove the placeholder debug comment "# Dockerfile:
Line 2 (Change this line)" so the file contains only intended Dockerfile
instructions; update the line by deleting that comment and ensure no leftover
TODO/debug comments remain before merging.

FROM eclipse-temurin:21-jdk-alpine

# Set the working directory inside the container
WORKDIR /app
Expand Down
46 changes: 46 additions & 0 deletions deployment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: quotes-app
namespace: quoteapp
labels:
app: quotes

spec:
replicas: 2
selector:
matchLabels:
app: quotes
tier: backend
template:
metadata:
labels:
app: quotes
tier: backend
spec:
containers:

- name: quotes-app
image: quotesapp:latest
ports:
- containerPort: 8000


livenessProbe:
httpGet:
path: /healthz
port: 8000
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 5
failureThreshold: 3


readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 1
Comment on lines +20 to +46
Copy link

@coderabbitai coderabbitai bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add security context to restrict privileges.

The deployment lacks a securityContext to enforce non-root execution and prevent privilege escalation. This is a security and compliance gap flagged by static analysis.

Apply this diff to add a restrictive security context:

     spec:
       containers:
       - name: quotes-app 
         image: quotesapp:latest
         ports:
         - containerPort: 8000
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false

Note: Ensure your Java application can run as user 1000. If needed, adjust the UID accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
spec:
containers:
- name: quotes-app
image: quotesapp:latest
ports:
- containerPort: 8000
livenessProbe:
httpGet:
path: /healthz
port: 8000
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 1
spec:
containers:
- name: quotes-app
image: quotesapp:latest
ports:
- containerPort: 8000
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
path: /healthz
port: 8000
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 1
🧰 Tools
🪛 Checkov (3.2.334)

[medium] 1-46: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 1-46: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
In deployment.yml around lines 20 to 46, the container spec lacks a
securityContext to enforce non-root execution and prevent privilege escalation;
add a restrictive securityContext for the quotes-app container that sets
runAsUser to 1000 (or an appropriate UID for the Java app), sets runAsNonRoot:
true, disables privilege escalation (allowPrivilegeEscalation: false), drops all
capabilities (capabilities.drop: ["ALL"]), and sets a readonly root filesystem
where possible; keep settings conservative and confirm the Java process runs
correctly as the chosen UID, adjusting UID if needed.

⚠️ Potential issue | 🟠 Major

Add resource requests and limits to prevent resource starvation.

Unlike the pod.yml manifest which defines memory and CPU requests/limits, this deployment lacks resource controls. Without these, pods can consume excessive cluster resources and starve other workloads.

Apply this diff to add resource constraints:

     spec:
       containers:
       - name: quotes-app 
         image: quotesapp:latest
         ports:
         - containerPort: 8000
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
         securityContext:
           runAsNonRoot: true
           runAsUser: 1000
           allowPrivilegeEscalation: false

(Values suggested to match pod.yml; adjust based on actual application requirements.)

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 Checkov (3.2.334)

[medium] 1-46: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 1-46: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
In deployment.yml around lines 20 to 46, the container spec for "quotes-app"
lacks resource requests and limits; add a resources block under the container
(properly indented) with requests and limits for cpu and memory matching the
values used in pod.yml (or appropriate app-specific values) to prevent resource
starvation; ensure both requests and limits are set and formatted like in
pod.yml so Kubernetes can schedule and throttle the pod correctly.

4 changes: 4 additions & 0 deletions namespaces.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: quoteapp
23 changes: 23 additions & 0 deletions pod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: quote-pod
namespace: quoteapp
labels:
app: quotes
tier: backend
spec:
containers:
- name: quotes-app
image: quotesapp:latest
imagePullPolicy: Never
Copy link

@coderabbitai coderabbitai bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Reconsider imagePullPolicy: Never for production use.

This policy requires the image to be pre-loaded on each node, which is fragile and error-prone in production environments. Pods will fail silently if the image isn't already present.

Consider changing to IfNotPresent (default) or Always depending on your deployment strategy.

Apply this diff to use a production-friendly policy:

-    imagePullPolicy: Never
+    imagePullPolicy: IfNotPresent
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
imagePullPolicy: Never
imagePullPolicy: IfNotPresent
🤖 Prompt for AI Agents 
In pod.yml around line 13, imagePullPolicy is set to Never which requires
container images to be preloaded on every node and can cause silent pod failures
in production; change the policy to a production-friendly value such as
IfNotPresent (to use local image if available, otherwise pull) or Always (to
always pull the latest image) depending on your deployment workflow, update the
manifest to use the chosen policy, and ensure your CI/CD or node image cache
strategy matches that choice.

ports:
- containerPort: 8000
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
Comment on lines +1 to +22
Copy link

@coderabbitai coderabbitai bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add security context to restrict privileges.

The pod lacks a securityContext to enforce non-root execution and prevent privilege escalation. This is a security and compliance gap.

Apply this diff to add a restrictive security context:

 spec:
   containers:
   - name: quotes-app
     image: quotesapp:latest
     imagePullPolicy: Never
     ports:
     - containerPort: 8000
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+      allowPrivilegeEscalation: false
     resources:

Note: Ensure that the Java application in the Dockerfile runs correctly as user 1000 (non-root). You may need to adjust the user ID if your application requires a specific UID.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
apiVersion: v1
kind: Pod
metadata:
name: quote-pod
namespace: quoteapp
labels:
app: quotes
tier: backend
spec:
containers:
- name: quotes-app
image: quotesapp:latest
imagePullPolicy: Never
ports:
- containerPort: 8000
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
apiVersion: v1
kind: Pod
metadata:
name: quote-pod
namespace: quoteapp
labels:
app: quotes
tier: backend
spec:
containers:
- name: quotes-app
image: quotesapp:latest
imagePullPolicy: Never
ports:
- containerPort: 8000
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
🧰 Tools
🪛 Checkov (3.2.334)

[medium] 1-22: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 1-22: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents 
In pod.yml around lines 1-22, the Pod lacks a securityContext to enforce
non-root execution and prevent privilege escalation; add a restrictive Pod-level
securityContext (e.g., runAsUser: 1000, runAsGroup: 1000, fsGroup: 1000,
runAsNonRoot: true) and a container-level securityContext (e.g.,
allowPrivilegeEscalation: false, privileged: false, readOnlyRootFilesystem:
true, seccompProfile if desired) to ensure the container runs as a non-root UID
and cannot escalate privileges; verify and adjust the UID (1000) to match the
Java app’s user in the Docker image if necessary.


18 changes: 18 additions & 0 deletions service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: quotes-service
namespace: quoteapp
labels:
app: quotes
tier: backend
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8000
protocol: TCP
name: http
selector:
app: quotes
tier: backend