fix: make SYS_PTRACE optional

Signed-off-by: Dylan Spagnuolo <[email protected]>
flyteorg · Sep 17, 2024 · e9868c8 · e9868c8
1 parent 7989209
commit e9868c8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/flyteplugins/go/tasks/pluginmachinery/flytek8s/config/config.go b/flyteplugins/go/tasks/pluginmachinery/flytek8s/config/config.go
@@ -32,14 +32,15 @@ var (
 			"cluster-autoscaler.kubernetes.io/safe-to-evict": "false",
 		},
 		CoPilot: FlyteCoPilotConfig{
-			NamePrefix:           "flyte-copilot-",
-			Image:                "cr.flyte.org/flyteorg/flytecopilot:v0.0.15",
-			DefaultInputDataPath: "/var/flyte/inputs",
-			InputVolumeName:      "flyte-inputs",
-			DefaultOutputPath:    "/var/flyte/outputs",
-			OutputVolumeName:     "flyte-outputs",
-			CPU:                  "500m",
-			Memory:               "128Mi",
+			NamePrefix:             "flyte-copilot-",
+			Image:                  "cr.flyte.org/flyteorg/flytecopilot:v0.0.15",
+			DefaultInputDataPath:   "/var/flyte/inputs",
+			InputVolumeName:        "flyte-inputs",
+			DefaultOutputPath:      "/var/flyte/outputs",
+			OutputVolumeName:       "flyte-outputs",
+			CPU:                    "500m",
+			Memory:                 "128Mi",
+			AddSysPTraceCapability: false,
 			StartTimeout: config2.Duration{
 				Duration: time.Second * 100,
 			},
@@ -238,6 +239,8 @@ type FlyteCoPilotConfig struct {
 	CPU     string `json:"cpu" pflag:",Used to set cpu for co-pilot containers"`
 	Memory  string `json:"memory" pflag:",Used to set memory for co-pilot containers"`
 	Storage string `json:"storage" pflag:",Default storage limit for individual inputs / outputs"`
+	// Co-Pilot Security Context Capabilities
+	AddSysPTraceCapability bool `json:"add-sys-ptrace-capability" pflag:",Used to enable SYS_PTRACE for co-pilot containers"`
 }
 
 // GetK8sPluginConfig retrieves the current k8s plugin config or default.

diff --git a/flyteplugins/go/tasks/pluginmachinery/flytek8s/copilot.go b/flyteplugins/go/tasks/pluginmachinery/flytek8s/copilot.go
@@ -172,7 +172,9 @@ func AddCoPilotToContainer(ctx context.Context, cfg config.FlyteCoPilotConfig, c
 	if c.SecurityContext.Capabilities == nil {
 		c.SecurityContext.Capabilities = &v1.Capabilities{}
 	}
-	c.SecurityContext.Capabilities.Add = append(c.SecurityContext.Capabilities.Add, pTraceCapability)
+	if cfg.AddSysPTraceCapability {
+		c.SecurityContext.Capabilities.Add = append(c.SecurityContext.Capabilities.Add, pTraceCapability)
+	}
 
 	if iFace != nil {
 		if iFace.Inputs != nil && len(iFace.Inputs.Variables) > 0 {