From 40e404cf8a045864732d0f4a1b7181e6d6d0ec50 Mon Sep 17 00:00:00 2001 From: marrrcin Date: Tue, 14 Jan 2025 16:26:43 +0100 Subject: [PATCH] Add securityContext for individual containers in flyte-binary Deployment Signed-off-by: marrrcin --- charts/flyte-binary/README.md | 3 +++ charts/flyte-binary/templates/deployment.yaml | 9 +++++++++ charts/flyte-binary/values.yaml | 6 ++++++ docker/sandbox-bundled/manifests/complete-agent.yaml | 4 ++-- docker/sandbox-bundled/manifests/complete.yaml | 4 ++-- docker/sandbox-bundled/manifests/dev.yaml | 4 ++-- 6 files changed, 24 insertions(+), 6 deletions(-) diff --git a/charts/flyte-binary/README.md b/charts/flyte-binary/README.md index 932933993e..42f6a151ba 100644 --- a/charts/flyte-binary/README.md +++ b/charts/flyte-binary/README.md @@ -91,6 +91,7 @@ Chart for basic single Flyte executable deployment | deployment.extraVolumes | list | `[]` | | | deployment.genAdminAuthSecret.args | list | `[]` | | | deployment.genAdminAuthSecret.command | list | `[]` | | +| deployment.genAdminAuthSecret.securityContext | object | `{}` | | | deployment.image.pullPolicy | string | `"IfNotPresent"` | | | deployment.image.repository | string | `"cr.flyte.org/flyteorg/flyte-binary"` | | | deployment.image.tag | string | `"latest"` | | @@ -105,6 +106,7 @@ Chart for basic single Flyte executable deployment | deployment.podSecurityContext.runAsGroup | int | `65534` | | | deployment.podSecurityContext.runAsUser | int | `65534` | | | deployment.readinessProbe | object | `{}` | | +| deployment.securityContext | object | `{}` | | | deployment.sidecars | list | `[]` | | | deployment.startupProbe | object | `{}` | | | deployment.waitForDB.args | list | `[]` | | @@ -112,6 +114,7 @@ Chart for basic single Flyte executable deployment | deployment.waitForDB.image.pullPolicy | string | `"IfNotPresent"` | | | deployment.waitForDB.image.repository | string | `"postgres"` | | | deployment.waitForDB.image.tag | string | `"15-alpine"` | | +| deployment.waitForDB.securityContext | object | `{}` | | | enabled_plugins.tasks | object | `{"task-plugins":{"default-for-task-types":{"container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service","echo"]}}` | Tasks specific configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/task/config#GetConfig) | | enabled_plugins.tasks.task-plugins | object | `{"default-for-task-types":{"container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service","echo"]}` | Plugins configuration, [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/task/config#TaskPluginConfig) | | enabled_plugins.tasks.task-plugins.enabled-plugins | list | `["container","sidecar","k8s-array","agent-service","echo"]` | [Enabled Plugins](https://pkg.go.dev/github.com/lyft/flyteplugins/go/tasks/config#Config). Enable sagemaker*, athena if you install the backend plugins | diff --git a/charts/flyte-binary/templates/deployment.yaml b/charts/flyte-binary/templates/deployment.yaml index d1be13d166..5b408ab1d9 100644 --- a/charts/flyte-binary/templates/deployment.yaml +++ b/charts/flyte-binary/templates/deployment.yaml @@ -94,6 +94,9 @@ spec: {{- if .Values.deployment.resources }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} {{- end }} + {{- if .Values.deployment.waitForDB.securityContext }} + securityContext: {{- toYaml .Values.deployment.waitForDB.securityContext | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.configuration.auth.enabled }} - name: gen-admin-auth-secret @@ -131,6 +134,9 @@ spec: {{- if .Values.deployment.resources }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} {{- end }} + {{- if .Values.deployment.genAdminAuthSecret.securityContext }} + securityContext: {{- toYaml .Values.deployment.genAdminAuthSecret.securityContext | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.deployment.initContainers }} {{- tpl ( .Values.deployment.initContainers | toYaml ) . | nindent 8 }} @@ -224,6 +230,9 @@ spec: {{- if .Values.deployment.extraVolumeMounts }} {{- tpl ( .Values.deployment.extraVolumeMounts | toYaml ) . | nindent 12 }} {{- end }} + {{- if .Values.deployment.securityContext }} + securityContext: {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- end }} {{- if .Values.deployment.sidecars }} {{- tpl ( .Values.deployment.sidecars | toYaml ) . | nindent 8 }} {{- end }} diff --git a/charts/flyte-binary/values.yaml b/charts/flyte-binary/values.yaml index 304afd7d4d..9ad5d2d2d8 100644 --- a/charts/flyte-binary/values.yaml +++ b/charts/flyte-binary/values.yaml @@ -275,12 +275,16 @@ deployment: command: [] # args Override default init container args args: [] + # securityContext Specify security context for wait-for-db init container + securityContext: {} # genAdminAuthSecret Configure init container to generate secrets for internal use genAdminAuthSecret: # command Override default init container command command: [] # args Override default init container args args: [] + # securityContext Specify security context for gen-admin-auth-secret init container + securityContext: {} # labels Add labels to Flyte deployment labels: {} # annotations Add annotations to Flyte deployment @@ -300,6 +304,8 @@ deployment: # extraPodSpec Specify additional configuration for Flyte pod # This can be used for adding affinity, tolerations, hostNetwork, etc. extraPodSpec: {} + # securityContext Specify security context for Flyte container + securityContext: {} # service Configure service for Flyte service: diff --git a/docker/sandbox-bundled/manifests/complete-agent.yaml b/docker/sandbox-bundled/manifests/complete-agent.yaml index e85294e86b..0785282576 100644 --- a/docker/sandbox-bundled/manifests/complete-agent.yaml +++ b/docker/sandbox-bundled/manifests/complete-agent.yaml @@ -823,7 +823,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: VFRKYXBKM2xsTERQb1ZDaQ== + haSharedSecret: UnZJZHEzUExzbkJsOW1wYw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1420,7 +1420,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 4c7bc4fbd20227034bda9ead9cd941c94879028d6920b98113f9a08ef3c6f9d9 + checksum/secret: ce172103045f4215e361b4c109776a78fe06660a4ade01c7351ea07212e7cfb9 labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml index 93daed5dff..420b69536a 100644 --- a/docker/sandbox-bundled/manifests/complete.yaml +++ b/docker/sandbox-bundled/manifests/complete.yaml @@ -805,7 +805,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: Zm4xWHVaRlNsb2EyVFFIVg== + haSharedSecret: dDFiem04NjFzb29ZWHFtNA== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1369,7 +1369,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: fdbda8db15a09ca5943cc534a824402836c98722de81d1631c45099a8e04b043 + checksum/secret: 529d34a9c4d3c82b9eec5028fcc30f26e923fa77a57eb29c4705d28c85355963 labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml index 08efa97dde..1969c1b3a3 100644 --- a/docker/sandbox-bundled/manifests/dev.yaml +++ b/docker/sandbox-bundled/manifests/dev.yaml @@ -499,7 +499,7 @@ metadata: --- apiVersion: v1 data: - haSharedSecret: RjY3OEtOeFVDMjFabkI0SA== + haSharedSecret: Y1V1RU03eGVhUDFFc1pSdQ== proxyPassword: "" proxyUsername: "" kind: Secret @@ -934,7 +934,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 6ab17d37fe9743709a5aa2a140c06a7a25fe33cfe4d6c0cbcb2ddf0a2dcf1675 + checksum/secret: 66507f448be8010226a1ad2c741fb2866ef4372b68e61287c7500b47fae05572 labels: app: docker-registry release: flyte-sandbox