SecurtyContext: applying PodTemplate for InitContainers and removing SYS_PTRACE

[vlibov]

Tracking issue

Related to #5462

Why are the changes needed?

The Issue #5462 describes the problem in detail.

What changes were proposed in this pull request?

1. Remove the SYS_PTRACE capability
2. Apply the PodTemplate settings to the InitContainers. In particular, this allows the SecurityContext settings to be applied also to the InitContainer.

How was this patch tested?

Setup process

Screenshots

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

[welcome]

Thank you for opening this pull request! 🙌

These tips will help get your PR across the finish line:

• Most of the repos have a PR template; if not, fill it out to the best of your knowledge.
• Sign off your commits (Reference: DCO Guide).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.75%. Comparing base (81afb76) to head (92bd3a0).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5556      +/-   ##
==========================================
- Coverage   60.98%   60.75%   -0.23%     
==========================================
  Files         796      645     -151     
  Lines       51647    41432   -10215     
==========================================
- Hits        31498    25174    -6324     
+ Misses      17249    13958    -3291     
+ Partials     2900     2300     -600     

Flag	Coverage Δ
unittests-datacatalog	69.31% <ø> (ø)
unittests-flyteadmin	58.69% <ø> (-0.05%)	⬇️
unittests-flytecopilot	17.79% <ø> (ø)
unittests-flytectl	67.44% <ø> (ø)
unittests-flyteidl	79.06% <ø> (ø)
unittests-flyteplugins	?
unittests-flytepropeller	57.42% <ø> (ø)
unittests-flytestdlib	65.68% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pingsutw]

Isn't it always false here? Should we add add_sys_ptrace to the plugin config?

[hamersaw]

If there is a larger conversation here, which I suspect there is. We can split this into multiple PRs - I don't think merging support for applying a PodTemplate to initContainers is controversial.

[davidmirror-ops]

We can split this into multiple PRs

Agree. @vlibov thoughts?

[vlibov]

Hi all,
yes it's always false here - the idea was that this SYS_PTRACE can be removed altogether
(but I wanted to keep the relevant code for now so didn't remove the line completely).
However, indeed a more flexible approach would be to make this configurable.

I'm fine with both options - splitting the PR or deciding whether we remvoe SYS_PTRACE vs make it configurable via add_sys_ptrace now. How difficult is it to create a new plugin config? if not too difficult, we could just do it.

[vlibov]

Hi @davidmirror-ops,
how do we want to proceed? Shall we split the PR or make the SYS_PTRACE configurable (or remove it completely?)
Thanks!

[davidmirror-ops]

Shall we split the PR or make the SYS_PTRACE configurable
Hey @vlibov! Can we do both? Split this into two PRs: one for the PodTemplate for initContainer and the other making SYS_PTRACE configurable.

[vlibov]

Sounds good, @davidmirror-ops!
I reverted the SYS_PTRACE commit in this PR so it now only affects the initContainer part.

I will also create a new PR for the SYS_PTRACE config - can anybody point me on how to properly implement this? i.e. where is this option supposed to be defined and how to propagate it down to the relevant function which sets SYS_PTRACE? Thanks!

[vlibov]

Hey @davidmirror-ops, actually I created a new PR also for this change (initContainers)
#5664
I hope this is ok!
The #5556 can thus be closed...

[dylanspag-lmco]

Hi @vlibov, just wondering did you end up creating a separate PR for removing SYS_PTRACE?