From 8b7210258f869bf85f55de22a0dd2856d7b40747 Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Thu, 12 Dec 2024 17:14:31 +0100 Subject: [PATCH] Update securitycontext Signed-off-by: biswassri Update ml-pipeline-scheduledworkflow-deployment.yaml Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Update ml-pipeline-persistenceagent-deployment.yaml Upstreaming off pss patches Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Updating server,ui,visualization,veiwercrd deployment yaml Signed-off-by: biswassri <58236793+biswassri@users.noreply.github.com> Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Updating remaining PSS patches Signed-off-by: biswassri --- .../base/metadata/base/metadata-envoy-deployment.yaml | 10 ++++++++++ .../base/metadata/base/metadata-grpc-deployment.yaml | 10 ++++++++++ .../metadata-writer/metadata-writer-deployment.yaml | 10 ++++++++++ .../pipeline/ml-pipeline-apiserver-deployment.yaml | 10 ++++++++++ .../ml-pipeline-persistenceagent-deployment.yaml | 10 ++++++++++ .../ml-pipeline-scheduledworkflow-deployment.yaml | 10 ++++++++++ .../base/pipeline/ml-pipeline-ui-deployment.yaml | 10 ++++++++++ .../pipeline/ml-pipeline-viewer-crd-deployment.yaml | 10 ++++++++++ .../pipeline/ml-pipeline-visualization-deployment.yaml | 10 ++++++++++ .../base/workflow-controller-deployment-patch.yaml | 4 ++++ .../third-party/metacontroller/base/stateful-set.yaml | 2 ++ .../third-party/minio/base/minio-deployment.yaml | 10 ++++++++++ .../third-party/mysql/base/mysql-deployment.yaml | 10 ++++++++++ 13 files changed, 116 insertions(+) diff --git a/manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml b/manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml index e087d80aa90..32ef611aebb 100644 --- a/manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml +++ b/manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml @@ -24,3 +24,13 @@ spec: containerPort: 9090 - name: envoy-admin containerPort: 9901 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL diff --git a/manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml b/manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml index 1ea10488d6e..6a824cc104e 100644 --- a/manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml +++ b/manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml @@ -23,6 +23,16 @@ spec: # * manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml # * test/tag_for_hosted.sh image: gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL env: - name: DBCONFIG_USER valueFrom: diff --git a/manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml b/manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml index c51903d3568..6e9f41e5f9b 100644 --- a/manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml +++ b/manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml @@ -22,4 +22,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL serviceAccountName: kubeflow-pipelines-metadata-writer diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml index cd80133596f..244d9e07b10 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml @@ -156,6 +156,16 @@ spec: failureThreshold: 12 periodSeconds: 5 timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL resources: requests: cpu: 250m diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml index d23cee601af..31a3d66a82d 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml @@ -37,6 +37,16 @@ spec: volumeMounts: - mountPath: /var/run/secrets/kubeflow/tokens name: persistenceagent-sa-token + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL serviceAccountName: ml-pipeline-persistenceagent volumes: - name: persistenceagent-sa-token diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml index aa19c70f706..5c5a05df80f 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml @@ -31,4 +31,14 @@ spec: configMapKeyRef: name: pipeline-install-config key: cronScheduleTimezone + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL serviceAccountName: ml-pipeline-scheduledworkflow diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml index adfcfc9f928..be27565c94b 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml @@ -29,6 +29,16 @@ spec: - name: config-volume mountPath: /etc/config readOnly: true + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL env: - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH value: /etc/config/viewer-pod-template.json diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml index 9e101b9f6c4..fba7ec62e79 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml @@ -26,4 +26,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL serviceAccountName: ml-pipeline-viewer-crd-service-account diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml index b6d1e1184e6..095c74dc4de 100644 --- a/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml +++ b/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml @@ -46,6 +46,16 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL resources: requests: cpu: 30m diff --git a/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml b/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml index c221a642023..514dfcf85ab 100644 --- a/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml +++ b/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml @@ -13,6 +13,10 @@ spec: - workflow-controller-configmap - --executor-image - gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true resources: requests: cpu: 100m diff --git a/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml b/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml index b0ca0076e7b..4b9350860f6 100644 --- a/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml +++ b/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml @@ -30,6 +30,8 @@ spec: - --zap-log-level=4 - '--discovery-interval=3600s' # less insane than 10 seconds securityContext: + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL diff --git a/manifests/kustomize/third-party/minio/base/minio-deployment.yaml b/manifests/kustomize/third-party/minio/base/minio-deployment.yaml index a1bd963078d..6025517a5ec 100644 --- a/manifests/kustomize/third-party/minio/base/minio-deployment.yaml +++ b/manifests/kustomize/third-party/minio/base/minio-deployment.yaml @@ -34,6 +34,16 @@ spec: name: minio ports: - containerPort: 9000 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL volumeMounts: - mountPath: /data name: data diff --git a/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml b/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml index 570fe03d2d5..b18c58f22c3 100644 --- a/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml +++ b/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml @@ -53,6 +53,16 @@ spec: ports: - containerPort: 3306 name: mysql + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL volumeMounts: - mountPath: /var/lib/mysql name: mysql-persistent-storage