From 1694a5a03fd2db46c2784114efd2fa31951aa3b4 Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Wed, 6 Dec 2023 22:48:14 +0100 Subject: [PATCH 1/4] (Feature) (ML) Handler for Extension StatefulSet and Service --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd9d49a69..c417256a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ - (Improvement) (ML) Job Sidecar Shutdown - (Feature) (ML) Handler for Extension StatefulSet and Service - (Feature) (ML) Pod & Container Config +- (Feature) (ML) Handler for Extension StatefulSet and Service ## [1.2.35](https://github.com/arangodb/kube-arangodb/tree/1.2.35) (2023-11-06) - (Maintenance) Update go-driver to v1.6.0, update IsNotFound() checks From 74ddffd90656b5faf77ab9630d01ed0a6be189f2 Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Sun, 10 Dec 2023 10:16:16 +0100 Subject: [PATCH 2/4] Use ContainerTemplate for ml ext depl component --- docs/api/ArangoMLExtension.V1Alpha1.md | 33 ++++ .../extension_spec_deployment_component.go | 25 +-- pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go | 11 +- .../crds/ml-extension.schema.generated.yaml | 180 ++++++++++++++++++ pkg/util/k8sutil/pods.go | 31 +++ pkg/util/k8sutil/security_context.go | 15 -- 6 files changed, 253 insertions(+), 42 deletions(-) diff --git a/docs/api/ArangoMLExtension.V1Alpha1.md b/docs/api/ArangoMLExtension.V1Alpha1.md index 3333f3c4b..ffb08326d 100644 --- a/docs/api/ArangoMLExtension.V1Alpha1.md +++ b/docs/api/ArangoMLExtension.V1Alpha1.md @@ -47,6 +47,17 @@ Links: *** +### .spec.deployment.prediction.securityContext + +Type: `core.SecurityContext` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29) + +PodSecurityContext holds pod-level security attributes and common container settings. + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +*** + ### .spec.deployment.project.image Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31) @@ -92,6 +103,17 @@ Links: *** +### .spec.deployment.project.securityContext + +Type: `core.SecurityContext` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29) + +PodSecurityContext holds pod-level security attributes and common container settings. + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +*** + ### .spec.deployment.replicas Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment.go#L32) @@ -164,6 +186,17 @@ Links: *** +### .spec.deployment.training.securityContext + +Type: `core.SecurityContext` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29) + +PodSecurityContext holds pod-level security attributes and common container settings. + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +*** + ### .spec.image Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31) diff --git a/pkg/apis/ml/v1alpha1/extension_spec_deployment_component.go b/pkg/apis/ml/v1alpha1/extension_spec_deployment_component.go index 94dca8118..f919cf34f 100644 --- a/pkg/apis/ml/v1alpha1/extension_spec_deployment_component.go +++ b/pkg/apis/ml/v1alpha1/extension_spec_deployment_component.go @@ -30,12 +30,8 @@ type ArangoMLExtensionSpecDeploymentComponent struct { // Port defines on which port the container will be listening for connections Port *int32 `json:"port,omitempty"` - // Image defines image used for the component - *sharedApi.Image `json:",inline"` - - // Resources holds resource requests & limits for container - // If not specified, default values will be used - *sharedApi.Resources `json:",inline"` + // ContainerTemplate Keeps the information about Container configuration + *sharedApi.ContainerTemplate `json:",inline"` } func (s *ArangoMLExtensionSpecDeploymentComponent) GetPort() int32 { @@ -45,20 +41,12 @@ func (s *ArangoMLExtensionSpecDeploymentComponent) GetPort() int32 { return *s.Port } -func (s *ArangoMLExtensionSpecDeploymentComponent) GetImage() *sharedApi.Image { - if s == nil || s.Image == nil { - return nil - } - - return s.Image -} - -func (s *ArangoMLExtensionSpecDeploymentComponent) GetResources() *sharedApi.Resources { - if s == nil || s.Resources == nil { +func (s *ArangoMLExtensionSpecDeploymentComponent) GetContainerTemplate() *sharedApi.ContainerTemplate { + if s == nil || s.ContainerTemplate == nil { return nil } - return s.Resources + return s.ContainerTemplate } func (s *ArangoMLExtensionSpecDeploymentComponent) Validate() error { @@ -73,8 +61,7 @@ func (s *ArangoMLExtensionSpecDeploymentComponent) Validate() error { } err = append(err, - shared.PrefixResourceErrors("resources", s.GetResources().Validate()), - shared.PrefixResourceErrors("image", shared.ValidateRequired(s.GetImage(), func(obj sharedApi.Image) error { return obj.Validate() })), + s.GetContainerTemplate().Validate(), ) return shared.WithErrors(err...) diff --git a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go index 1b7b81efd..ca37dfd44 100644 --- a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go @@ -399,14 +399,9 @@ func (in *ArangoMLExtensionSpecDeploymentComponent) DeepCopyInto(out *ArangoMLEx *out = new(int32) **out = **in } - if in.Image != nil { - in, out := &in.Image, &out.Image - *out = new(sharedv1.Image) - (*in).DeepCopyInto(*out) - } - if in.Resources != nil { - in, out := &in.Resources, &out.Resources - *out = new(sharedv1.Resources) + if in.ContainerTemplate != nil { + in, out := &in.ContainerTemplate, &out.ContainerTemplate + *out = new(sharedv1.ContainerTemplate) (*in).DeepCopyInto(*out) } return diff --git a/pkg/crd/crds/ml-extension.schema.generated.yaml b/pkg/crd/crds/ml-extension.schema.generated.yaml index 772cc7d2c..ddc4725fb 100644 --- a/pkg/crd/crds/ml-extension.schema.generated.yaml +++ b/pkg/crd/crds/ml-extension.schema.generated.yaml @@ -36,6 +36,66 @@ v1alpha1: type: string type: object type: object + securityContext: + description: PodSecurityContext holds pod-level security attributes and common container settings. + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object type: object project: description: Project defines how Project workload will be deployed @@ -67,6 +127,66 @@ v1alpha1: type: string type: object type: object + securityContext: + description: PodSecurityContext holds pod-level security attributes and common container settings. + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object type: object replicas: description: Replicas defines the number of replicas running specified components. No replicas created if no components are defined. @@ -114,6 +234,66 @@ v1alpha1: type: string type: object type: object + securityContext: + description: PodSecurityContext holds pod-level security attributes and common container settings. + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object type: object type: object image: diff --git a/pkg/util/k8sutil/pods.go b/pkg/util/k8sutil/pods.go index 90485e0df..601178864 100644 --- a/pkg/util/k8sutil/pods.go +++ b/pkg/util/k8sutil/pods.go @@ -802,3 +802,34 @@ func InjectContainerTemplate(spec *sharedApi.ContainerTemplate, pod *core.PodTem return nil } + +func CreateDefaultContainerTemplate(image *sharedApi.Image) *sharedApi.ContainerTemplate { + return &sharedApi.ContainerTemplate{ + Image: image.DeepCopy(), + Resources: &sharedApi.Resources{ + Resources: &core.ResourceRequirements{ + Requests: core.ResourceList{ + core.ResourceCPU: resource.MustParse("100m"), + core.ResourceMemory: resource.MustParse("128Mi"), + }, + Limits: core.ResourceList{ + core.ResourceCPU: resource.MustParse("200m"), + core.ResourceMemory: resource.MustParse("256Mi"), + }, + }, + }, + SecurityContainer: &sharedApi.SecurityContainer{ + SecurityContext: &core.SecurityContext{ + RunAsUser: util.NewType[int64](shared.DefaultRunAsUser), + RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), + RunAsNonRoot: util.NewType(true), + ReadOnlyRootFilesystem: util.NewType(true), + Capabilities: &core.Capabilities{ + Drop: []core.Capability{ + "ALL", + }, + }, + }, + }, + } +} diff --git a/pkg/util/k8sutil/security_context.go b/pkg/util/k8sutil/security_context.go index 0f68479b0..277c76b95 100644 --- a/pkg/util/k8sutil/security_context.go +++ b/pkg/util/k8sutil/security_context.go @@ -50,18 +50,3 @@ func CreateSecurePodSecurityContext() *core.PodSecurityContext { return psc } - -func CreateDefaultSecurityContext() *core.SecurityContext { - r := &core.SecurityContext{ - RunAsUser: util.NewType[int64](shared.DefaultRunAsUser), - RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), - RunAsNonRoot: util.NewType(true), - ReadOnlyRootFilesystem: util.NewType(true), - Capabilities: &core.Capabilities{ - Drop: []core.Capability{ - "ALL", - }, - }, - } - return r -} From a83c165f3d30bc2e0e67781198f13c00d9310408 Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Sun, 10 Dec 2023 13:22:15 +0100 Subject: [PATCH 3/4] Fix CHANGELOG --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c417256a9..bd9d49a69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,7 +33,6 @@ - (Improvement) (ML) Job Sidecar Shutdown - (Feature) (ML) Handler for Extension StatefulSet and Service - (Feature) (ML) Pod & Container Config -- (Feature) (ML) Handler for Extension StatefulSet and Service ## [1.2.35](https://github.com/arangodb/kube-arangodb/tree/1.2.35) (2023-11-06) - (Maintenance) Update go-driver to v1.6.0, update IsNotFound() checks From 395aaccc817070819958eb576c6ce83b93ee56e8 Mon Sep 17 00:00:00 2001 From: Nikita Vaniasin Date: Mon, 11 Dec 2023 09:18:52 +0100 Subject: [PATCH 4/4] Add PodTemplate support for extension deployment --- docs/api/ArangoMLExtension.V1Alpha1.md | 101 ++++- .../ml/v1alpha1/extension_spec_deployment.go | 13 + pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go | 5 + .../crds/ml-extension.schema.generated.yaml | 405 ++++++++++++++++++ pkg/util/k8sutil/security_context.go | 13 - 5 files changed, 523 insertions(+), 14 deletions(-) diff --git a/docs/api/ArangoMLExtension.V1Alpha1.md b/docs/api/ArangoMLExtension.V1Alpha1.md index ffb08326d..a4bcae64a 100644 --- a/docs/api/ArangoMLExtension.V1Alpha1.md +++ b/docs/api/ArangoMLExtension.V1Alpha1.md @@ -2,6 +2,70 @@ ## Spec +### .spec.deployment.affinity + +Type: `core.Affinity` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L37) + +Affinity defines scheduling constraints for workload + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + +*** + +### .spec.deployment.hostIPC + +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L33) + +HostIPC defines to use the host's ipc namespace. + +Default Value: `false` + +*** + +### .spec.deployment.hostNetwork + +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L27) + +HostNetwork requests Host network for this pod. Use the host's network namespace. +If this option is set, the ports that will be used must be specified. + +Default Value: `false` + +*** + +### .spec.deployment.hostPID + +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L30) + +HostPID define to use the host's pid namespace. + +Default Value: `false` + +*** + +### .spec.deployment.nodeSelector + +Type: `object` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L32) + +NodeSelector is a selector that must be true for the workload to fit on a node. + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + +*** + +### .spec.deployment.podSecurityContext + +Type: `core.PodSecurityContext` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_pod.go#L29) + +PodSecurityContext holds pod-level security attributes and common container settings. + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +*** + ### .spec.deployment.prediction.image Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31) @@ -116,7 +180,7 @@ Links: ### .spec.deployment.replicas -Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment.go#L32) +Type: `integer` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment.go#L33) Replicas defines the number of replicas running specified components. No replicas created if no components are defined. @@ -124,6 +188,17 @@ Default Value: `1` *** +### .spec.deployment.schedulerName + +Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L47) + +SchedulerName specifies, the pod will be dispatched by specified scheduler. +If not specified, the pod will be dispatched by default scheduler. + +Default Value: `""` + +*** + ### .spec.deployment.service.type Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment_service.go#L37) @@ -141,6 +216,30 @@ Possible Values: *** +### .spec.deployment.shareProcessNamespace + +Type: `boolean` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L39) + +ShareProcessNamespace defines to share a single process namespace between all of the containers in a pod. +When this is set containers will be able to view and signal processes from other containers +in the same pod, and the first process in each container will not be assigned PID 1. +HostPID and ShareProcessNamespace cannot both be set. + +Default Value: `false` + +*** + +### .spec.deployment.tolerations + +Type: `[]core.Toleration` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L42) + +Tolerations defines tolerations + +Links: +* [Kubernetes docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + +*** + ### .spec.deployment.training.image Type: `string` [\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31) diff --git a/pkg/apis/ml/v1alpha1/extension_spec_deployment.go b/pkg/apis/ml/v1alpha1/extension_spec_deployment.go index 076c23ee8..19f123440 100644 --- a/pkg/apis/ml/v1alpha1/extension_spec_deployment.go +++ b/pkg/apis/ml/v1alpha1/extension_spec_deployment.go @@ -22,6 +22,7 @@ package v1alpha1 import ( "github.com/arangodb/kube-arangodb/pkg/apis/shared" + sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1" "github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util/errors" ) @@ -34,6 +35,9 @@ type ArangoMLExtensionSpecDeployment struct { // Service defines how components will be exposed Service *ArangoMLExtensionSpecDeploymentService `json:"service,omitempty"` + // PodTemplate defines base template for pods + *sharedApi.PodTemplate + // Prediction defines how Prediction workload will be deployed Prediction *ArangoMLExtensionSpecDeploymentComponent `json:"prediction,omitempty"` // Training defines how Training workload will be deployed @@ -49,6 +53,14 @@ func (s *ArangoMLExtensionSpecDeployment) GetReplicas() int32 { return *s.Replicas } +func (s *ArangoMLExtensionSpecDeployment) GetPodTemplate() *sharedApi.PodTemplate { + if s == nil || s.PodTemplate == nil { + return nil + } + + return s.PodTemplate +} + func (s *ArangoMLExtensionSpecDeployment) GetPrediction() *ArangoMLExtensionSpecDeploymentComponent { if s == nil { return nil @@ -108,6 +120,7 @@ func (s *ArangoMLExtensionSpecDeployment) Validate() error { errs := []error{ shared.PrefixResourceErrors("service", shared.ValidateOptional(s.GetService(), func(s ArangoMLExtensionSpecDeploymentService) error { return s.Validate() })), + s.GetPodTemplate().Validate(), } if s.GetReplicas() < 0 || s.GetReplicas() > 10 { diff --git a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go index ca37dfd44..611ee48cb 100644 --- a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go @@ -363,6 +363,11 @@ func (in *ArangoMLExtensionSpecDeployment) DeepCopyInto(out *ArangoMLExtensionSp *out = new(ArangoMLExtensionSpecDeploymentService) (*in).DeepCopyInto(*out) } + if in.PodTemplate != nil { + in, out := &in.PodTemplate, &out.PodTemplate + *out = new(sharedv1.PodTemplate) + (*in).DeepCopyInto(*out) + } if in.Prediction != nil { in, out := &in.Prediction, &out.Prediction *out = new(ArangoMLExtensionSpecDeploymentComponent) diff --git a/pkg/crd/crds/ml-extension.schema.generated.yaml b/pkg/crd/crds/ml-extension.schema.generated.yaml index ddc4725fb..61455a16c 100644 --- a/pkg/crd/crds/ml-extension.schema.generated.yaml +++ b/pkg/crd/crds/ml-extension.schema.generated.yaml @@ -6,6 +6,382 @@ v1alpha1: deployment: description: Deployment specifies how the ML extension will be deployed into cluster properties: + affinity: + description: Affinity defines scheduling constraints for workload + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object + weight: + format: int32 + type: integer + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object + type: array + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + type: object + type: array + type: object + type: object + hostIPC: + description: HostIPC defines to use the host's ipc namespace. + type: boolean + hostNetwork: + description: |- + HostNetwork requests Host network for this pod. Use the host's network namespace. + If this option is set, the ports that will be used must be specified. + type: boolean + hostPID: + description: HostPID define to use the host's pid namespace. + type: boolean + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is a selector that must be true for the workload to fit on a node. + type: object + podSecurityContext: + description: PodSecurityContext holds pod-level security attributes and common container settings. + properties: + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object prediction: description: Prediction defines how Prediction workload will be deployed properties: @@ -192,6 +568,11 @@ v1alpha1: description: Replicas defines the number of replicas running specified components. No replicas created if no components are defined. format: int32 type: integer + schedulerName: + description: |- + SchedulerName specifies, the pod will be dispatched by specified scheduler. + If not specified, the pod will be dispatched by default scheduler. + type: string service: description: Service defines how components will be exposed properties: @@ -204,6 +585,30 @@ v1alpha1: - ExternalName type: string type: object + shareProcessNamespace: + description: |- + ShareProcessNamespace defines to share a single process namespace between all of the containers in a pod. + When this is set containers will be able to view and signal processes from other containers + in the same pod, and the first process in each container will not be assigned PID 1. + HostPID and ShareProcessNamespace cannot both be set. + type: boolean + tolerations: + description: Tolerations defines tolerations + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array training: description: Training defines how Training workload will be deployed properties: diff --git a/pkg/util/k8sutil/security_context.go b/pkg/util/k8sutil/security_context.go index 277c76b95..84dd58ba2 100644 --- a/pkg/util/k8sutil/security_context.go +++ b/pkg/util/k8sutil/security_context.go @@ -24,9 +24,7 @@ import ( core "k8s.io/api/core/v1" api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1" - "github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/deployment/features" - "github.com/arangodb/kube-arangodb/pkg/util" ) // CreateSecurityContext returns security context. @@ -39,14 +37,3 @@ func CreateSecurityContext(spec *api.ServerGroupSpecSecurityContext) *core.Secur func CreatePodSecurityContext(spec *api.ServerGroupSpecSecurityContext) *core.PodSecurityContext { return spec.NewPodSecurityContext(features.SecuredContainers().Enabled()) } - -func CreateSecurePodSecurityContext() *core.PodSecurityContext { - psc := &core.PodSecurityContext{ - RunAsUser: util.NewType[int64](shared.DefaultRunAsUser), - RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup), - RunAsNonRoot: util.NewType(true), - FSGroup: util.NewType[int64](shared.DefaultFSGroup), - } - - return psc -}