Adding securityContext configuration to flyte-core charts

Signed-off-by: Neil Stout <[email protected]>
flyteorg · Feb 13, 2024 · a46267f · a46267f
1 parent fe1204c
commit a46267f
Show file tree

Hide file tree

Showing 10 changed files with 75 additions and 42 deletions.
diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md
@@ -137,6 +137,7 @@ helm install gateway bitnami/contour -n flyte
 | datacatalog.priorityClassName | string | `""` | Sets priorityClassName for datacatalog pod(s). |
 | datacatalog.replicaCount | int | `1` | Replicas count for Datacatalog deployment |
 | datacatalog.resources | object | `{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Datacatalog deployment |
+| datacatalog.securityContext | object | `{"runAsNonRoot":true,"fsGroup":1001,"runAsUser":1001,"fsGroupChangePolicy":"OnRootMismatch","seLinuxOptions":{"type":"spc_t"}}` | Security context definition for Datacatalog pods |
 | datacatalog.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"}` | Service settings for Datacatalog |
 | datacatalog.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for Datacatalog |
 | datacatalog.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to Datacatalog pods |
@@ -172,6 +173,7 @@ helm install gateway bitnami/contour -n flyte
 | flyteadmin.replicaCount | int | `1` | Replicas count for Flyteadmin deployment |
 | flyteadmin.resources | object | `{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Flyteadmin deployment |
 | flyteadmin.secrets | object | `{}` |  |
+| flyteadmin.securityContext | object | `{"runAsNonRoot":true,"fsGroup":65534,"runAsUser":1001,"fsGroupChangePolicy":"Always","seLinuxOptions":{"type":"spc_t"}}` | Security context definition for Flyteadmin pods |
 | flyteadmin.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"}` | Service settings for Flyteadmin |
 | flyteadmin.serviceAccount | object | `{"alwaysCreate":false,"annotations":{},"clusterRole":{"apiGroups":["","flyte.lyft.com","rbac.authorization.k8s.io"],"resources":["configmaps","flyteworkflows","namespaces","pods","resourcequotas","roles","rolebindings","secrets","services","serviceaccounts","spark-role","limitranges"],"verbs":["*"]},"create":true,"createClusterRole":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlyteAdmin |
 | flyteadmin.serviceAccount.alwaysCreate | bool | `false` | Should a service account always be created for flyteadmin even without an actual flyteadmin deployment running (e.g. for multi-cluster setups) |
@@ -207,6 +209,7 @@ helm install gateway bitnami/contour -n flyte
 | flyteconsole.priorityClassName | string | `""` | Sets priorityClassName for flyte console pod(s). |
 | flyteconsole.replicaCount | int | `1` | Replicas count for Flyteconsole deployment |
 | flyteconsole.resources | object | `{"limits":{"cpu":"500m","memory":"250Mi"},"requests":{"cpu":"10m","memory":"50Mi"}}` | Default resources requests and limits for Flyteconsole deployment |
+| flyteconsole.securityContext | object | `{"runAsNonRoot":true,"runAsUser":1000,"fsGroupChangePolicy":"OnRootMismatch","seLinuxOptions":{"type":"spc_t"}}` | Security context definition for Flyteconsole pods |
 | flyteconsole.service | object | `{"annotations":{},"type":"ClusterIP"}` | Service settings for Flyteconsole |
 | flyteconsole.tolerations | list | `[]` | tolerations for Flyteconsole deployment |
 | flytepropeller.additionalContainers | list | `[]` | Appends additional containers to the deployment spec. May include template values. |
@@ -230,6 +233,7 @@ helm install gateway bitnami/contour -n flyte
 | flytepropeller.priorityClassName | string | `""` | Sets priorityClassName for propeller pod(s). |
 | flytepropeller.replicaCount | int | `1` | Replicas count for Flytepropeller deployment |
 | flytepropeller.resources | object | `{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"100Mi"}}` | Default resources requests and limits for Flytepropeller deployment |
+| flytepropeller.securityContext | object | `{"fsGroup":65534,"runAsUser":1001,"fsGroupChangePolicy":"Always"}` | Security context definition for Flytepropeller pods |
 | flytepropeller.service | object | `{"enabled":false}` | Settings for flytepropeller service |
 | flytepropeller.service.enabled | bool | `false` | If enabled create the flytepropeller service |
 | flytepropeller.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for FlytePropeller |
@@ -259,6 +263,7 @@ helm install gateway bitnami/contour -n flyte
 | flytescheduler.resources | object | `{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}}` | Default resources requests and limits for Flytescheduler deployment |
 | flytescheduler.runPrecheck | bool | `true` | Whether to inject an init container which waits on flyteadmin |
 | flytescheduler.secrets | object | `{}` |  |
+| flytescheduler.securityContext | object | `{"runAsNonRoot":true,"fsGroup":65534,"runAsUser":1001,"fsGroupChangePolicy":"Always","seLinuxOptions":{"type":"spc_t"}}` | Security context definition for Flytescheduler pods |
 | flytescheduler.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for Flytescheduler |
 | flytescheduler.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to Flytescheduler pods |
 | flytescheduler.serviceAccount.create | bool | `true` | Should a service account be created for Flytescheduler |
@@ -280,9 +285,11 @@ helm install gateway bitnami/contour -n flyte
 | storage.s3 | object | `{"accessKey":"","authType":"iam","region":"us-east-1","secretKey":""}` | settings for storage type s3 |
 | storage.s3.accessKey | string | `""` | AWS IAM user access key ID to use for S3 bucket auth, only used if authType is set to accesskey |
 | storage.s3.authType | string | `"iam"` | type of authentication to use for S3 buckets, can either be iam or accesskey |
+| storage.s3.endpoint | string | `nil` | endpoint to use for S3 buckets, if not AWS public |
 | storage.s3.secretKey | string | `""` | AWS IAM user secret access key to use for S3 bucket auth, only used if authType is set to accesskey |
 | storage.type | string | `"sandbox"` | Sets the storage type. Supported values are sandbox, s3, gcs and custom. |
 | webhook.enabled | bool | `true` | enable or disable secrets webhook |
+| webhook.securityContext | object | `{"runAsNonRoot":true,"fsGroup":65534,"runAsUser":1001,"fsGroupChangePolicy":"Always","seLinuxOptions":{"type":"spc_t"}}` | Security context definition for Flytescheduler pods |
 | webhook.service | object | `{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"}` | Service settings for the webhook |
 | webhook.serviceAccount | object | `{"annotations":{},"create":true,"imagePullSecrets":[]}` | Configuration for service accounts for the webhook |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations for ServiceAccount attached to the webhook |

diff --git a/charts/flyte-core/templates/_helpers.tpl b/charts/flyte-core/templates/_helpers.tpl
@@ -220,6 +220,9 @@ storage:
   connection:
     auth-type: {{ .Values.storage.s3.authType }}
     region: {{ .Values.storage.s3.region }}
+    {{- if .Values.storage.s3.endpoint }}
+    endpoint: {{ .Values.storage.s3.endpoint }}
+    {{- end }}
     {{- if eq .Values.storage.s3.authType "accesskey" }}
     access-key: {{ .Values.storage.s3.accessKey }}
     secret-key: {{ .Values.storage.s3.secretKey }}

diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml
@@ -18,13 +18,9 @@ spec:
         {{- end }}
       labels: {{ include "flyteadmin.podLabels" . | nindent 8 }}
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 65534
-        runAsUser: 1001
-        fsGroupChangePolicy: "Always"
-        seLinuxOptions:
-          type: spc_t
+      {{- with .Values.flyteadmin.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- if .Values.flyteadmin.priorityClassName }}
       priorityClassName: {{ .Values.flyteadmin.priorityClassName }}
       {{- end }}

diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml
@@ -22,12 +22,9 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        fsGroupChangePolicy: "OnRootMismatch"
-        seLinuxOptions:
-          type: spc_t
+      {{- with .Values.flyteconsole.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- if .Values.flyteconsole.priorityClassName }}
       priorityClassName: {{ .Values.flyteconsole.priorityClassName }}
       {{- end }}

diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml
@@ -18,13 +18,9 @@ spec:
         {{- end }}
       labels: {{ include "datacatalog.podLabels" . | nindent 8 }}
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 1001
-        runAsUser: 1001
-        fsGroupChangePolicy: "OnRootMismatch"
-        seLinuxOptions:
-          type: spc_t
+      {{- with .Values.datacatalog.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- if .Values.datacatalog.priorityClassName }}
       priorityClassName: {{ .Values.datacatalog.priorityClassName }}
       {{- end }}

diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml
@@ -19,13 +19,9 @@ spec:
         {{- end }}
       labels: {{ include "flytescheduler.podLabels" . | nindent 8 }}
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 65534
-        runAsUser: 1001
-        fsGroupChangePolicy: "Always"
-        seLinuxOptions:
-          type: spc_t
+      {{- with .Values.flytescheduler.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- if .Values.flytescheduler.priorityClassName }}
       priorityClassName: {{ .Values.flytescheduler.priorityClassName }}
       {{- end }}

diff --git a/charts/flyte-core/templates/propeller/deployment.yaml b/charts/flyte-core/templates/propeller/deployment.yaml
@@ -31,10 +31,9 @@ spec:
       labels: {{ include "flytepropeller.podLabels" . | nindent 8 }}
       {{- end }}
     spec:
-      securityContext:
-        fsGroup: 65534
-        runAsUser: 1001
-        fsGroupChangePolicy: "Always"
+      {{- with .Values.flytepropeller.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- if .Values.flytepropeller.priorityClassName }}
       priorityClassName: {{ .Values.flytepropeller.priorityClassName }}
       {{- end }}

diff --git a/charts/flyte-core/templates/propeller/manager.yaml b/charts/flyte-core/templates/propeller/manager.yaml
@@ -15,10 +15,9 @@ template:
     labels: {{ include "flytepropeller.labels" . | nindent 6 }}
       app: {{ index .Values.configmap.core.manager "pod-application" }}
   spec:
-    securityContext:
-      fsGroup: 65534
-      runAsUser: 1001
-      fsGroupChangePolicy: "Always"
+    {{- with .Values.flytepropeller.securityContext }}
+    securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+    {{- end }}
     {{- if .Values.flytepropeller.priorityClassName }}
     priorityClassName: {{ .Values.flytepropeller.priorityClassName }}
     {{- end }}

diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml
@@ -35,13 +35,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      securityContext:
-        fsGroup: 65534
-        runAsNonRoot: true
-        runAsUser: 1001
-        fsGroupChangePolicy: "Always"
-        seLinuxOptions:
-          type: spc_t
+      {{- with .Values.webhook.securityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
 {{- if .Values.webhook.enabled }}
       initContainers:

diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml
@@ -111,6 +111,14 @@ flyteadmin:
   extraArgs: {}
   # -- Sets priorityClassName for flyteadmin pod(s).
   priorityClassName: ""
+  # -- Sets securityContext for flyteadmin pod(s).
+  securityContext:
+    runAsNonRoot: true
+    fsGroup: 65534
+    runAsUser: 1001
+    fsGroupChangePolicy: "Always"
+    seLinuxOptions:
+      type: spc_t
 
   # -- Settings for flyteadmin service monitor
   serviceMonitor:
@@ -179,6 +187,14 @@ flytescheduler:
   additionalContainers: []
   # -- Sets priorityClassName for flyte scheduler pod(s).
   priorityClassName: ""
+  # -- Sets securityContext for flytescheduler pod(s).
+  securityContext:
+    runAsNonRoot: true
+    fsGroup: 65534
+    runAsUser: 1001
+    fsGroupChangePolicy: "Always"
+    seLinuxOptions:
+      type: spc_t
 
 #
 # DATACATALOG SETTINGS
@@ -242,6 +258,14 @@ datacatalog:
   extraArgs: {}
   # -- Sets priorityClassName for datacatalog pod(s).
   priorityClassName: ""
+  # -- Sets securityContext for datacatalog pod(s).
+  securityContext:
+    runAsNonRoot: true
+    fsGroup: 1001
+    runAsUser: 1001
+    fsGroupChangePolicy: "OnRootMismatch"
+    seLinuxOptions:
+      type: spc_t
 
 #
 # FLYTE_AGENT SETTINGS
@@ -320,6 +344,11 @@ flytepropeller:
   clusterName: ""
   # -- Sets priorityClassName for propeller pod(s).
   priorityClassName: ""
+  # -- Sets securityContext for flytepropeller pod(s).
+  securityContext:
+    fsGroup: 65534
+    runAsUser: 1001
+    fsGroupChangePolicy: "Always"
 
   # -- Settings for flytepropeller service
   service:
@@ -382,6 +411,13 @@ flyteconsole:
   priorityClassName: ""
    # -- ImagePullSecrets to assign to the Flyteconsole deployment
   imagePullSecrets: []
+  # -- Sets securityContext for flyteconsole pod(s).
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    fsGroupChangePolicy: "OnRootMismatch"
+    seLinuxOptions:
+      type: spc_t
 
 # It will enable the redoc route in ingress
 deployRedoc: false
@@ -419,6 +455,14 @@ webhook:
     annotations:
       projectcontour.io/upstream-protocol.h2c: grpc
     type: ClusterIP
+  # -- Sets securityContext for webhook pod(s).
+  securityContext:
+    fsGroup: 65534
+    runAsNonRoot: true
+    runAsUser: 1001
+    fsGroupChangePolicy: "Always"
+    seLinuxOptions:
+      type: spc_t
 
 # ------------------------------------------------
 #