diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index 5b41085674..60d4b6a969 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -19,9 +19,12 @@ spec: labels: {{ include "flyteadmin.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t {{- if .Values.flyteadmin.priorityClassName }} priorityClassName: {{ .Values.flyteadmin.priorityClassName }} {{- end }} @@ -35,6 +38,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/config name: base-config-volume @@ -57,6 +64,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/config name: base-config-volume @@ -77,6 +88,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/clusterresource/templates name: resource-templates @@ -104,6 +119,10 @@ spec: [ "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -149,6 +168,10 @@ spec: initialDelaySeconds: 20 periodSeconds: 5 resources: {{- toYaml .Values.flyteadmin.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /srv/flyte name: shared-data diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml index 3d0f26d44b..d9675a0072 100644 --- a/charts/flyte-core/templates/console/deployment.yaml +++ b/charts/flyte-core/templates/console/deployment.yaml @@ -23,8 +23,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t {{- if .Values.flyteconsole.priorityClassName }} priorityClassName: {{ .Values.flyteconsole.priorityClassName }} {{- end }} @@ -51,6 +54,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{ toYaml .Values.flyteconsole.resources | nindent 10 }} volumeMounts: - mountPath: /srv/flyte diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml index 9ba6a8d89a..904762eb79 100644 --- a/charts/flyte-core/templates/datacatalog/deployment.yaml +++ b/charts/flyte-core/templates/datacatalog/deployment.yaml @@ -19,9 +19,12 @@ spec: labels: {{ include "datacatalog.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t {{- if .Values.datacatalog.priorityClassName }} priorityClassName: {{ .Values.datacatalog.priorityClassName }} {{- end }} @@ -44,6 +47,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -66,6 +73,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: {{ index .Values.configmap.datacatalogServer.datacatalog "profiler-port" }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{- toYaml .Values.datacatalog.resources | nindent 10 }} volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/datacatalog/config diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml index 37b2394b1d..3892cfbb83 100755 --- a/charts/flyte-core/templates/flytescheduler/deployment.yaml +++ b/charts/flyte-core/templates/flytescheduler/deployment.yaml @@ -20,9 +20,12 @@ spec: labels: {{ include "flytescheduler.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t {{- if .Values.flytescheduler.priorityClassName }} priorityClassName: {{ .Values.flytescheduler.priorityClassName }} {{- end }} @@ -42,6 +45,10 @@ spec: image: "{{ .Values.flytescheduler.image.repository }}:{{ .Values.flytescheduler.image.tag }}" imagePullPolicy: "{{ .Values.flytescheduler.image.pullPolicy }}" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config name: config-volume @@ -65,6 +72,10 @@ spec: name: flytescheduler ports: - containerPort: {{ .Values.configmap.schedulerConfig.scheduler.profilerPort }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{- toYaml .Values.flytescheduler.resources | nindent 10 }} volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml index 0b1c725af8..9a1f279350 100644 --- a/charts/flyte-core/templates/propeller/webhook.yaml +++ b/charts/flyte-core/templates/propeller/webhook.yaml @@ -37,8 +37,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: {{ template "flyte-pod-webhook.name" . }} {{- if .Values.webhook.enabled }} initContainers: @@ -66,6 +69,10 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -96,6 +103,10 @@ spec: {{- end }} ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index a0aebff495..b6adaab5d6 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -857,9 +857,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -870,6 +873,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -887,6 +894,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -901,6 +912,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -918,6 +933,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -959,6 +978,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1085,8 +1108,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1096,6 +1122,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1145,9 +1175,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1163,6 +1196,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1176,6 +1213,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -1314,8 +1355,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1337,6 +1381,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1361,6 +1409,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index be8b442371..8b17155aa1 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -563,9 +563,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -576,6 +579,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -593,6 +600,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -607,6 +618,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -624,6 +639,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -665,6 +684,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -791,8 +814,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -802,6 +828,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -851,9 +881,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -869,6 +902,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -882,6 +919,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -942,9 +983,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -954,6 +998,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -972,6 +1020,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml index 5fa5c09498..52b14a1b6e 100644 --- a/deployment/eks/flyte_helm_dataplane_generated.yaml +++ b/deployment/eks/flyte_helm_dataplane_generated.yaml @@ -513,8 +513,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -536,6 +539,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -560,6 +567,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 1b84af16a5..fa8a6387b3 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -888,9 +888,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -901,6 +904,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -918,6 +925,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -932,6 +943,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -949,6 +964,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -990,6 +1009,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1116,8 +1139,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1127,6 +1153,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1176,9 +1206,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1194,6 +1227,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1207,6 +1244,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -1267,9 +1308,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -1279,6 +1323,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1297,6 +1345,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1433,8 +1485,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1456,6 +1511,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1480,6 +1539,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index d9ea49361c..96f6427fb6 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -578,9 +578,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -591,6 +594,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -608,6 +615,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -622,6 +633,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -639,6 +654,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -680,6 +699,10 @@ spec: cpu: 500m ephemeral-storage: 2Gi memory: 1G + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -806,8 +829,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -817,6 +843,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -866,9 +896,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -884,6 +917,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -897,6 +934,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -957,9 +998,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -969,6 +1013,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -987,6 +1035,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m diff --git a/deployment/gcp/flyte_helm_dataplane_generated.yaml b/deployment/gcp/flyte_helm_dataplane_generated.yaml index b7cd4932ae..0e7b6af3fe 100644 --- a/deployment/gcp/flyte_helm_dataplane_generated.yaml +++ b/deployment/gcp/flyte_helm_dataplane_generated.yaml @@ -520,8 +520,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -543,6 +546,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -567,6 +574,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index f6ae64796f..0031523dd7 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -911,9 +911,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -924,6 +927,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -941,6 +948,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -955,6 +966,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -972,6 +987,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -1013,6 +1032,10 @@ spec: cpu: 500m ephemeral-storage: 2Gi memory: 1G + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1139,8 +1162,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1150,6 +1176,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1199,9 +1229,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1217,6 +1250,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1230,6 +1267,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -1290,9 +1331,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -1302,6 +1346,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1320,6 +1368,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1455,8 +1507,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1478,6 +1533,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1502,6 +1561,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f5e26ef0bb..3a9c79f725 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -6694,9 +6694,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -6707,6 +6710,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -6723,6 +6730,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -6736,6 +6747,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/clusterresource/templates @@ -6752,6 +6767,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -6793,6 +6812,10 @@ spec: cpu: 10m ephemeral-storage: 50Mi memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /srv/flyte @@ -6906,8 +6929,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -6922,6 +6948,10 @@ spec: value: "true" - name: GA_TRACKING_ID value: "G-0QW4DJWJ20" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -6964,9 +6994,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -6981,6 +7014,10 @@ spec: - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -6994,6 +7031,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -7044,9 +7085,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -7056,6 +7100,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -7073,6 +7121,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -7198,8 +7250,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -7221,6 +7276,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -7245,6 +7304,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config