Skip to content

Commit

Permalink
Adding securityContext configuration to flyte-core charts (flyteorg#4895
Browse files Browse the repository at this point in the history
)

* Adding securityContext configuration to flyte-core charts

Signed-off-by: Neil Stout <[email protected]>

* Removing S3 endpoint location

Signed-off-by: Neil Stout <[email protected]>

* Updates from make helm

Signed-off-by: Neil Stout <[email protected]>

---------

Signed-off-by: Neil Stout <[email protected]>
  • Loading branch information
neilisaur authored and yubofredwang committed Mar 26, 2024
1 parent c7b1050 commit 8588a15
Show file tree
Hide file tree
Showing 17 changed files with 158 additions and 129 deletions.
6 changes: 6 additions & 0 deletions charts/flyte-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ helm install gateway bitnami/contour -n flyte
| datacatalog.priorityClassName | string | `""` | Sets priorityClassName for datacatalog pod(s). |
| datacatalog.replicaCount | int | `1` | Replicas count for Datacatalog deployment |
| datacatalog.resources | object | `{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Datacatalog deployment |
| datacatalog.securityContext | object | `{"fsGroup":1001,"fsGroupChangePolicy":"OnRootMismatch","runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{"type":"spc_t"}}` | Sets securityContext for datacatalog pod(s). |
| datacatalog.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"}` | Service settings for Datacatalog |
| datacatalog.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for Datacatalog |
| datacatalog.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to Datacatalog pods |
Expand Down Expand Up @@ -172,6 +173,7 @@ helm install gateway bitnami/contour -n flyte
| flyteadmin.replicaCount | int | `1` | Replicas count for Flyteadmin deployment |
| flyteadmin.resources | object | `{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Flyteadmin deployment |
| flyteadmin.secrets | object | `{}` | |
| flyteadmin.securityContext | object | `{"fsGroup":65534,"fsGroupChangePolicy":"Always","runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{"type":"spc_t"}}` | Sets securityContext for flyteadmin pod(s). |
| flyteadmin.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"}` | Service settings for Flyteadmin |
| flyteadmin.serviceAccount | object | `{"alwaysCreate":false,"annotations":{},"clusterRole":{"apiGroups":["","flyte.lyft.com","rbac.authorization.k8s.io"],"resources":["configmaps","flyteworkflows","namespaces","pods","resourcequotas","roles","rolebindings","secrets","services","serviceaccounts","spark-role","limitranges"],"verbs":["*"]},"create":true,"createClusterRole":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlyteAdmin |
| flyteadmin.serviceAccount.alwaysCreate | bool | `false` | Should a service account always be created for flyteadmin even without an actual flyteadmin deployment running (e.g. for multi-cluster setups) |
Expand Down Expand Up @@ -207,6 +209,7 @@ helm install gateway bitnami/contour -n flyte
| flyteconsole.priorityClassName | string | `""` | Sets priorityClassName for flyte console pod(s). |
| flyteconsole.replicaCount | int | `1` | Replicas count for Flyteconsole deployment |
| flyteconsole.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"10m","memory":"50Mi"}}` | Default resources requests and limits for Flyteconsole deployment |
| flyteconsole.securityContext | object | `{"fsGroupChangePolicy":"OnRootMismatch","runAsNonRoot":true,"runAsUser":1000,"seLinuxOptions":{"type":"spc_t"}}` | Sets securityContext for flyteconsole pod(s). |
| flyteconsole.service | object | `{"annotations":{},"type":"ClusterIP"}` | Service settings for Flyteconsole |
| flyteconsole.tolerations | list | `[]` | tolerations for Flyteconsole deployment |
| flytepropeller.additionalContainers | list | `[]` | Appends additional containers to the deployment spec. May include template values. |
Expand All @@ -230,6 +233,7 @@ helm install gateway bitnami/contour -n flyte
| flytepropeller.priorityClassName | string | `""` | Sets priorityClassName for propeller pod(s). |
| flytepropeller.replicaCount | int | `1` | Replicas count for Flytepropeller deployment |
| flytepropeller.resources | object | `{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"100Mi"}}` | Default resources requests and limits for Flytepropeller deployment |
| flytepropeller.securityContext | object | `{"fsGroup":65534,"fsGroupChangePolicy":"Always","runAsUser":1001}` | Sets securityContext for flytepropeller pod(s). |
| flytepropeller.service | object | `{"enabled":false}` | Settings for flytepropeller service |
| flytepropeller.service.enabled | bool | `false` | If enabled create the flytepropeller service |
| flytepropeller.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlytePropeller |
Expand Down Expand Up @@ -259,6 +263,7 @@ helm install gateway bitnami/contour -n flyte
| flytescheduler.resources | object | `{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Flytescheduler deployment |
| flytescheduler.runPrecheck | bool | `true` | Whether to inject an init container which waits on flyteadmin |
| flytescheduler.secrets | object | `{}` | |
| flytescheduler.securityContext | object | `{"fsGroup":65534,"fsGroupChangePolicy":"Always","runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{"type":"spc_t"}}` | Sets securityContext for flytescheduler pod(s). |
| flytescheduler.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for Flytescheduler |
| flytescheduler.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to Flytescheduler pods |
| flytescheduler.serviceAccount.create | bool | `true` | Should a service account be created for Flytescheduler |
Expand All @@ -283,6 +288,7 @@ helm install gateway bitnami/contour -n flyte
| storage.s3.secretKey | string | `""` | AWS IAM user secret access key to use for S3 bucket auth, only used if authType is set to accesskey |
| storage.type | string | `"sandbox"` | Sets the storage type. Supported values are sandbox, s3, gcs and custom. |
| webhook.enabled | bool | `true` | enable or disable secrets webhook |
| webhook.securityContext | object | `{"fsGroup":65534,"fsGroupChangePolicy":"Always","runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{"type":"spc_t"}}` | Sets securityContext for webhook pod(s). |
| webhook.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"}` | Service settings for the webhook |
| webhook.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for the webhook |
| webhook.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to the webhook |
Expand Down
10 changes: 3 additions & 7 deletions charts/flyte-core/templates/admin/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,9 @@ spec:
{{- end }}
labels: {{ include "flyteadmin.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
{{- with .Values.flyteadmin.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.flyteadmin.priorityClassName }}
priorityClassName: {{ .Values.flyteadmin.priorityClassName }}
{{- end }}
Expand Down
9 changes: 3 additions & 6 deletions charts/flyte-core/templates/console/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,9 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
{{- with .Values.flyteconsole.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.flyteconsole.priorityClassName }}
priorityClassName: {{ .Values.flyteconsole.priorityClassName }}
{{- end }}
Expand Down
10 changes: 3 additions & 7 deletions charts/flyte-core/templates/datacatalog/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,9 @@ spec:
{{- end }}
labels: {{ include "datacatalog.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 1001
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
{{- with .Values.datacatalog.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.datacatalog.priorityClassName }}
priorityClassName: {{ .Values.datacatalog.priorityClassName }}
{{- end }}
Expand Down
10 changes: 3 additions & 7 deletions charts/flyte-core/templates/flytescheduler/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,9 @@ spec:
{{- end }}
labels: {{ include "flytescheduler.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
{{- with .Values.flytescheduler.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.flytescheduler.priorityClassName }}
priorityClassName: {{ .Values.flytescheduler.priorityClassName }}
{{- end }}
Expand Down
7 changes: 3 additions & 4 deletions charts/flyte-core/templates/propeller/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,9 @@ spec:
labels: {{ include "flytepropeller.podLabels" . | nindent 8 }}
{{- end }}
spec:
securityContext:
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
{{- with .Values.flytepropeller.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.flytepropeller.priorityClassName }}
priorityClassName: {{ .Values.flytepropeller.priorityClassName }}
{{- end }}
Expand Down
7 changes: 3 additions & 4 deletions charts/flyte-core/templates/propeller/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,9 @@ template:
labels: {{ include "flytepropeller.labels" . | nindent 6 }}
app: {{ index .Values.configmap.core.manager "pod-application" }}
spec:
securityContext:
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
{{- with .Values.flytepropeller.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.flytepropeller.priorityClassName }}
priorityClassName: {{ .Values.flytepropeller.priorityClassName }}
{{- end }}
Expand Down
10 changes: 3 additions & 7 deletions charts/flyte-core/templates/propeller/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
securityContext:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
{{- with .Values.webhook.securityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
{{- if .Values.webhook.enabled }}
initContainers:
Expand Down
44 changes: 44 additions & 0 deletions charts/flyte-core/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,14 @@ flyteadmin:
extraArgs: {}
# -- Sets priorityClassName for flyteadmin pod(s).
priorityClassName: ""
# -- Sets securityContext for flyteadmin pod(s).
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t

# -- Settings for flyteadmin service monitor
serviceMonitor:
Expand Down Expand Up @@ -179,6 +187,14 @@ flytescheduler:
additionalContainers: []
# -- Sets priorityClassName for flyte scheduler pod(s).
priorityClassName: ""
# -- Sets securityContext for flytescheduler pod(s).
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t

#
# DATACATALOG SETTINGS
Expand Down Expand Up @@ -242,6 +258,14 @@ datacatalog:
extraArgs: {}
# -- Sets priorityClassName for datacatalog pod(s).
priorityClassName: ""
# -- Sets securityContext for datacatalog pod(s).
securityContext:
runAsNonRoot: true
fsGroup: 1001
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t

#
# FLYTE_AGENT SETTINGS
Expand Down Expand Up @@ -320,6 +344,11 @@ flytepropeller:
clusterName: ""
# -- Sets priorityClassName for propeller pod(s).
priorityClassName: ""
# -- Sets securityContext for flytepropeller pod(s).
securityContext:
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"

# -- Settings for flytepropeller service
service:
Expand Down Expand Up @@ -382,6 +411,13 @@ flyteconsole:
priorityClassName: ""
# -- ImagePullSecrets to assign to the Flyteconsole deployment
imagePullSecrets: []
# -- Sets securityContext for flyteconsole pod(s).
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t

# It will enable the redoc route in ingress
deployRedoc: false
Expand Down Expand Up @@ -419,6 +455,14 @@ webhook:
annotations:
projectcontour.io/upstream-protocol.h2c: grpc
type: ClusterIP
# -- Sets securityContext for webhook pod(s).
securityContext:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t

# ------------------------------------------------
#
Expand Down
24 changes: 12 additions & 12 deletions deployment/eks/flyte_aws_scheduler_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -856,11 +856,11 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
securityContext:
fsGroup: 65534
fsGroupChangePolicy: Always
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
initContainers:
Expand Down Expand Up @@ -1107,10 +1107,10 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
securityContext:
fsGroupChangePolicy: OnRootMismatch
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
containers:
Expand Down Expand Up @@ -1174,11 +1174,11 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
securityContext:
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
initContainers:
Expand Down Expand Up @@ -1276,10 +1276,10 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
securityContext:
fsGroup: 65534
fsGroupChangePolicy: Always
runAsUser: 1001
fsGroupChangePolicy: "Always"
priorityClassName: system-cluster-critical
containers:
- command:
Expand Down Expand Up @@ -1353,11 +1353,11 @@ spec:
annotations:
configChecksum: "305d6f36301e10e952435f597dbe6700381a43c496a3be2cca60c175439fc9a"
spec:
securityContext:
securityContext:
fsGroup: 65534
fsGroupChangePolicy: Always
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
serviceAccountName: flyte-pod-webhook
Expand Down
22 changes: 11 additions & 11 deletions deployment/eks/flyte_helm_controlplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -562,11 +562,11 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
securityContext:
fsGroup: 65534
fsGroupChangePolicy: Always
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
initContainers:
Expand Down Expand Up @@ -813,10 +813,10 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
securityContext:
fsGroupChangePolicy: OnRootMismatch
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
containers:
Expand Down Expand Up @@ -880,11 +880,11 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
securityContext:
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
initContainers:
Expand Down Expand Up @@ -982,11 +982,11 @@ spec:
helm.sh/chart: flyte-core-v0.1.10
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
securityContext:
fsGroup: 65534
fsGroupChangePolicy: Always
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
initContainers:
Expand Down
Loading

0 comments on commit 8588a15

Please sign in to comment.