Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #11462

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+116 −0
Open

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #11462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,13 @@ spec:
containerPort: 9090
- name: envoy-admin
containerPort: 9901
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
10 changes: 10 additions & 0 deletions manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@ spec:
# * manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml
# * test/tag_for_hosted.sh
image: gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
env:
- name: DBCONFIG_USER
valueFrom:
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
serviceAccountName: kubeflow-pipelines-metadata-writer
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,16 @@ spec:
failureThreshold: 12
periodSeconds: 5
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
resources:
requests:
cpu: 250m
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,16 @@ spec:
volumeMounts:
- mountPath: /var/run/secrets/kubeflow/tokens
name: persistenceagent-sa-token
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
serviceAccountName: ml-pipeline-persistenceagent
volumes:
- name: persistenceagent-sa-token
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,14 @@ spec:
configMapKeyRef:
name: pipeline-install-config
key: cronScheduleTimezone
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
serviceAccountName: ml-pipeline-scheduledworkflow
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,16 @@ spec:
- name: config-volume
mountPath: /etc/config
readOnly: true
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
env:
- name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
value: /etc/config/viewer-pod-template.json
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
serviceAccountName: ml-pipeline-viewer-crd-service-account
10 changes: 10 additions & 0 deletions manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,16 @@ spec:
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
resources:
requests:
cpu: 30m
Expand Down
4 changes: 4 additions & 0 deletions manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ spec:
- workflow-controller-configmap
- --executor-image
- gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
resources:
requests:
cpu: 100m
Expand Down
2 changes: 2 additions & 0 deletions manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ spec:
- --zap-log-level=4
- '--discovery-interval=3600s' # less insane than 10 seconds
securityContext:
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/third-party/minio/base/minio-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,16 @@ spec:
name: minio
ports:
- containerPort: 9000
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /data
name: data
Expand Down
10 changes: 10 additions & 0 deletions manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,16 @@ spec:
ports:
- containerPort: 3306
name: mysql
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /var/lib/mysql
name: mysql-persistent-storage
Expand Down
Loading