Configure user and group in security context (#1766)

* Fix broken links in documentation (#1768) Signed-off-by: wanderer163 <[email protected]> Signed-off-by: Fredrik Sannholm <[email protected]> * Added security fixes documentation (#1811) * Added security fixes documentation Signed-off-by: Prafulla Mahindrakar <[email protected]> Signed-off-by: Fredrik Sannholm <[email protected]> * configure user and group in security context Signed-off-by: Fredrik Sannholm <[email protected]> * Change group and change policy Signed-off-by: Fredrik Sannholm <[email protected]> * make kustomize Signed-off-by: Fredrik Sannholm <[email protected]> * make helm Signed-off-by: Fredrik Sannholm <[email protected]> * try to fix check-db-ready Signed-off-by: Fredrik Sannholm <[email protected]> * Try to fix kustomize Signed-off-by: Fredrik Sannholm <[email protected]> * Try to fix kustomize again Signed-off-by: Fredrik Sannholm <[email protected]> * Try to fix kustomize again Signed-off-by: Fredrik Sannholm <[email protected]> * Add scratch volume Signed-off-by: Fredrik Sannholm <[email protected]> Co-authored-by: wanderer163 <[email protected]> Co-authored-by: pmahindrakar-oss <[email protected]>
flyteorg · Nov 11, 2021 · 8c79378 · 8c79378
1 parent a56b6d2
commit 8c79378
Show file tree

Hide file tree

Showing 27 changed files with 291 additions and 8 deletions.
diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml
@@ -17,10 +17,16 @@ spec:
         {{- end }}
       labels: {{ include "flyteadmin.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
         {{- if .Values.db.checks }}
         - name: check-db-ready
           image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta
+          securityContext:
+             runAsUser: 0
           command:
           - sh
           - -c
@@ -77,11 +83,13 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             [
-                "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/secrets/auth",
+                "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
             ]
           volumeMounts:
             - name: config-volume
               mountPath: /etc/flyte/config
+            - name: scratch
+              mountPath: /etc/scratch
           env:
             - name: POD_NAMESPACE
               valueFrom:
@@ -139,6 +147,8 @@ spec:
       volumes: {{- include "databaseSecret.volume" . | nindent 8 }}
         - emptyDir: {}
           name: shared-data
+        - emptyDir: {}
+          name: scratch
         - configMap:
             name: flyte-admin-config
           name: config-volume

diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml
@@ -17,6 +17,9 @@ spec:
         {{- end }}
       labels: {{ include "flyteconsole.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
       containers:
       - image: "{{ .Values.flyteconsole.image.repository }}:{{ .Values.flyteconsole.image.tag }}"
         imagePullPolicy: "{{ .Values.flyteconsole.image.pullPolicy }}"

diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml
@@ -17,10 +17,16 @@ spec:
         {{- end }}
       labels: {{ include "datacatalog.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 1001
+        runAsUser: 1001
+        fsGroupChangePolicy: "OnRootMismatch"
       initContainers:
       {{- if .Values.db.checks }}
       - name: check-db-ready
         image: postgres:10.16-alpine
+        securityContext:
+          runAsUser: 0
         command:
           - sh
           - -c

diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml
@@ -19,6 +19,10 @@ spec:
         {{- end }}
       labels: {{ include "flytescheduler.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
       - command:
         - flytescheduler

diff --git a/charts/flyte-core/templates/propeller/deployment.yaml b/charts/flyte-core/templates/propeller/deployment.yaml
@@ -17,6 +17,10 @@ spec:
         {{- end }}
       labels: {{ include "flytepropeller.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       containers:
       - command:
         - flytepropeller

diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml
@@ -31,6 +31,10 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
 {{- if .Values.webhook.enabled }}
       initContainers:

diff --git a/charts/flyte/templates/console/deployment.yaml b/charts/flyte/templates/console/deployment.yaml
@@ -17,6 +17,9 @@ spec:
         {{- end }}
       labels: {{ include "flyteconsole.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        runAsUser: 1000
+        fsGroupChangePolicy: "Always"
       containers:
       - image: "{{ .Values.flyteconsole.image.repository }}:{{ .Values.flyteconsole.image.tag }}"
         imagePullPolicy: "{{ .Values.flyteconsole.image.pullPolicy }}"

diff --git a/charts/flyte/templates/datacatalog/deployment.yaml b/charts/flyte/templates/datacatalog/deployment.yaml
@@ -17,10 +17,16 @@ spec:
         {{- end }}
       labels: {{ include "datacatalog.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
         {{- if .Values.db.checks }}
         - name: check-db-ready
           image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta
+          securityContext:
+             runAsUser: 0
           command:
             - sh
             - -c

diff --git a/charts/flyte/templates/flytescheduler/deployment.yaml b/charts/flyte/templates/flytescheduler/deployment.yaml
@@ -19,6 +19,10 @@ spec:
         {{- end }}
       labels: {{ include "flytescheduler.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
       - command:
         - flytescheduler

diff --git a/charts/flyte/templates/propeller/deployment.yaml b/charts/flyte/templates/propeller/deployment.yaml
@@ -17,6 +17,10 @@ spec:
         {{- end }}
       labels: {{ include "flytepropeller.labels" . | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       containers:
       - command:
         - flytepropeller

diff --git a/charts/flyte/templates/propeller/webhook.yaml b/charts/flyte/templates/propeller/webhook.yaml
@@ -31,6 +31,10 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
 {{- if .Values.webhook.enabled }}
       initContainers:

diff --git a/deployment/eks/flyte_core_helm_generated.yaml b/deployment/eks/flyte_core_helm_generated.yaml
@@ -772,6 +772,10 @@ spec:
         helm.sh/chart: flyte-core-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
         - command:
           - flyteadmin
@@ -826,11 +830,13 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             [
-                "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/secrets/auth",
+                "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
             ]
           volumeMounts:
             - name: config-volume
               mountPath: /etc/flyte/config
+            - name: scratch
+              mountPath: /etc/scratch
           env:
             - name: POD_NAMESPACE
               valueFrom:
@@ -873,6 +879,8 @@ spec:
             secretName: db-pass
         - emptyDir: {}
           name: shared-data
+        - emptyDir: {}
+          name: scratch
         - configMap:
             name: flyte-admin-config
           name: config-volume
@@ -917,6 +925,9 @@ spec:
         helm.sh/chart: flyte-core-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        runAsUser: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
       containers:
       - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0"
         imagePullPolicy: "IfNotPresent"
@@ -974,6 +985,10 @@ spec:
         helm.sh/chart: flyte-core-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        fsGroup: 1001
+        runAsUser: 1001
+        fsGroupChangePolicy: "OnRootMismatch"
       initContainers:
       - command:
         - datacatalog
@@ -1060,6 +1075,10 @@ spec:
         helm.sh/chart: flyte-core-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       containers:
       - command:
         - flytepropeller
@@ -1127,6 +1146,10 @@ spec:
       annotations:
         configChecksum: "e7425fcb5931f5a1ccfc272ff07af80519fc001d873e6f3d360f56e1ff940a9"
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       serviceAccountName: flyte-pod-webhook
       initContainers:
       - name: generate-secrets

diff --git a/deployment/eks/flyte_generated.yaml b/deployment/eks/flyte_generated.yaml
@@ -8663,6 +8663,10 @@ spec:
           name: config-volume
         - mountPath: /etc/db
           name: db-pass
+      securityContext:
+        fsGroup: 65534
+        fsGroupChangePolicy: Always
+        runAsUser: 1001
       serviceAccountName: datacatalog
       volumes:
       - emptyDir: {}
@@ -8745,6 +8749,10 @@ spec:
         volumeMounts:
         - mountPath: /etc/flyte/config
           name: config-volume
+      securityContext:
+        fsGroup: 65534
+        fsGroupChangePolicy: Always
+        runAsUser: 1001
       serviceAccountName: flyte-pod-webhook
       volumes:
       - configMap:
@@ -8872,7 +8880,7 @@ spec:
         - mountPath: /etc/db
           name: db-pass
       - args:
-        - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth
+        - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets
         command:
         - /bin/sh
         - -c
@@ -8887,10 +8895,18 @@ spec:
         volumeMounts:
         - mountPath: /etc/flyte/config
           name: config-volume
+        - mountPath: /etc/scratch
+          name: scratch
+      securityContext:
+        fsGroup: 65534
+        fsGroupChangePolicy: Always
+        runAsUser: 1001
       serviceAccountName: flyteadmin
       volumes:
       - emptyDir: {}
         name: shared-data
+      - emptyDir: {}
+        name: scratch
       - configMap:
           name: flyte-admin-config-29g4dtt8tc
         name: config-volume
@@ -8934,6 +8950,9 @@ spec:
         volumeMounts:
         - mountPath: /srv/flyte
           name: shared-data
+      securityContext:
+        fsGroupChangePolicy: Always
+        runAsUser: 1000
       volumes:
       - emptyDir: {}
         name: shared-data
@@ -8986,6 +9005,10 @@ spec:
           name: config-volume
         - mountPath: /etc/secrets/
           name: auth
+      securityContext:
+        fsGroup: 65534
+        fsGroupChangePolicy: Always
+        runAsUser: 1001
       serviceAccountName: flytepropeller
       volumes:
       - configMap:

diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml
@@ -1471,6 +1471,9 @@ spec:
         helm.sh/chart: flyte-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        runAsUser: 1000
+        fsGroupChangePolicy: "Always"
       containers:
       - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0"
         imagePullPolicy: "IfNotPresent"
@@ -1528,6 +1531,10 @@ spec:
         helm.sh/chart: flyte-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       initContainers:
         - command:
             - datacatalog
@@ -1614,6 +1621,10 @@ spec:
         helm.sh/chart: flyte-v0.1.10
         app.kubernetes.io/managed-by: Helm
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       containers:
       - command:
         - flytepropeller
@@ -1681,6 +1692,10 @@ spec:
       annotations:
         configChecksum: "f0f56517059d2ab9e6397a7c55ccb4bfbfaa54bf5662902582c768494539b44"
     spec:
+      securityContext:
+        fsGroup: 65534
+        runAsUser: 1001
+        fsGroupChangePolicy: "Always"
       serviceAccountName: flyte-pod-webhook
       initContainers:
       - name: generate-secrets