diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index ef3d093652..93d87f3f8e 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -17,10 +17,16 @@ spec: {{- end }} labels: {{ include "flyteadmin.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: {{- if .Values.db.checks }} - name: check-db-ready image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta + securityContext: + runAsUser: 0 command: - sh - -c @@ -77,11 +83,13 @@ spec: command: ["/bin/sh", "-c"] args: [ - "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/secrets/auth", + "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] volumeMounts: - name: config-volume mountPath: /etc/flyte/config + - name: scratch + mountPath: /etc/scratch env: - name: POD_NAMESPACE valueFrom: @@ -139,6 +147,8 @@ spec: volumes: {{- include "databaseSecret.volume" . | nindent 8 }} - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config name: config-volume diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml index 298fb2661e..ef69fadf40 100644 --- a/charts/flyte-core/templates/console/deployment.yaml +++ b/charts/flyte-core/templates/console/deployment.yaml @@ -17,6 +17,9 @@ spec: {{- end }} labels: {{ include "flyteconsole.labels" . | nindent 8 }} spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "OnRootMismatch" containers: - image: "{{ .Values.flyteconsole.image.repository }}:{{ .Values.flyteconsole.image.tag }}" imagePullPolicy: "{{ .Values.flyteconsole.image.pullPolicy }}" diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml index 728de64494..3abefb9317 100644 --- a/charts/flyte-core/templates/datacatalog/deployment.yaml +++ b/charts/flyte-core/templates/datacatalog/deployment.yaml @@ -17,10 +17,16 @@ spec: {{- end }} labels: {{ include "datacatalog.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 1001 + runAsUser: 1001 + fsGroupChangePolicy: "OnRootMismatch" initContainers: {{- if .Values.db.checks }} - name: check-db-ready image: postgres:10.16-alpine + securityContext: + runAsUser: 0 command: - sh - -c diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml index a0199b4393..054d235fbb 100755 --- a/charts/flyte-core/templates/flytescheduler/deployment.yaml +++ b/charts/flyte-core/templates/flytescheduler/deployment.yaml @@ -19,6 +19,10 @@ spec: {{- end }} labels: {{ include "flytescheduler.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flytescheduler diff --git a/charts/flyte-core/templates/propeller/deployment.yaml b/charts/flyte-core/templates/propeller/deployment.yaml index 7b5ae7e63a..5e54ad908a 100644 --- a/charts/flyte-core/templates/propeller/deployment.yaml +++ b/charts/flyte-core/templates/propeller/deployment.yaml @@ -17,6 +17,10 @@ spec: {{- end }} labels: {{ include "flytepropeller.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml index b0e018b527..44aa588ee5 100644 --- a/charts/flyte-core/templates/propeller/webhook.yaml +++ b/charts/flyte-core/templates/propeller/webhook.yaml @@ -31,6 +31,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: {{ template "flyte-pod-webhook.name" . }} {{- if .Values.webhook.enabled }} initContainers: diff --git a/charts/flyte/templates/console/deployment.yaml b/charts/flyte/templates/console/deployment.yaml index 298fb2661e..8fdf61fa61 100644 --- a/charts/flyte/templates/console/deployment.yaml +++ b/charts/flyte/templates/console/deployment.yaml @@ -17,6 +17,9 @@ spec: {{- end }} labels: {{ include "flyteconsole.labels" . | nindent 8 }} spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "Always" containers: - image: "{{ .Values.flyteconsole.image.repository }}:{{ .Values.flyteconsole.image.tag }}" imagePullPolicy: "{{ .Values.flyteconsole.image.pullPolicy }}" diff --git a/charts/flyte/templates/datacatalog/deployment.yaml b/charts/flyte/templates/datacatalog/deployment.yaml index 1d1b09007e..3bbc140cf7 100644 --- a/charts/flyte/templates/datacatalog/deployment.yaml +++ b/charts/flyte/templates/datacatalog/deployment.yaml @@ -17,10 +17,16 @@ spec: {{- end }} labels: {{ include "datacatalog.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: {{- if .Values.db.checks }} - name: check-db-ready image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta + securityContext: + runAsUser: 0 command: - sh - -c diff --git a/charts/flyte/templates/flytescheduler/deployment.yaml b/charts/flyte/templates/flytescheduler/deployment.yaml index 260401f33c..0760aac21d 100755 --- a/charts/flyte/templates/flytescheduler/deployment.yaml +++ b/charts/flyte/templates/flytescheduler/deployment.yaml @@ -19,6 +19,10 @@ spec: {{- end }} labels: {{ include "flytescheduler.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flytescheduler diff --git a/charts/flyte/templates/propeller/deployment.yaml b/charts/flyte/templates/propeller/deployment.yaml index 7b5ae7e63a..5e54ad908a 100644 --- a/charts/flyte/templates/propeller/deployment.yaml +++ b/charts/flyte/templates/propeller/deployment.yaml @@ -17,6 +17,10 @@ spec: {{- end }} labels: {{ include "flytepropeller.labels" . | nindent 8 }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller diff --git a/charts/flyte/templates/propeller/webhook.yaml b/charts/flyte/templates/propeller/webhook.yaml index b0e018b527..44aa588ee5 100644 --- a/charts/flyte/templates/propeller/webhook.yaml +++ b/charts/flyte/templates/propeller/webhook.yaml @@ -31,6 +31,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: {{ template "flyte-pod-webhook.name" . }} {{- if .Values.webhook.enabled }} initContainers: diff --git a/deployment/eks/flyte_core_helm_generated.yaml b/deployment/eks/flyte_core_helm_generated.yaml index 13a84d8dcc..d08c9f5805 100644 --- a/deployment/eks/flyte_core_helm_generated.yaml +++ b/deployment/eks/flyte_core_helm_generated.yaml @@ -772,6 +772,10 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flyteadmin @@ -826,11 +830,13 @@ spec: command: ["/bin/sh", "-c"] args: [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/secrets/auth", + "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] volumeMounts: - name: config-volume mountPath: /etc/flyte/config + - name: scratch + mountPath: /etc/scratch env: - name: POD_NAMESPACE valueFrom: @@ -873,6 +879,8 @@ spec: secretName: db-pass - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config name: config-volume @@ -917,6 +925,9 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "OnRootMismatch" containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0" imagePullPolicy: "IfNotPresent" @@ -974,6 +985,10 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 1001 + runAsUser: 1001 + fsGroupChangePolicy: "OnRootMismatch" initContainers: - command: - datacatalog @@ -1060,6 +1075,10 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller @@ -1127,6 +1146,10 @@ spec: annotations: configChecksum: "e7425fcb5931f5a1ccfc272ff07af80519fc001d873e6f3d360f56e1ff940a9" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/deployment/eks/flyte_generated.yaml b/deployment/eks/flyte_generated.yaml index 279cd475ad..dcad2c8df6 100644 --- a/deployment/eks/flyte_generated.yaml +++ b/deployment/eks/flyte_generated.yaml @@ -8663,6 +8663,10 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: datacatalog volumes: - emptyDir: {} @@ -8745,6 +8749,10 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyte-pod-webhook volumes: - configMap: @@ -8872,7 +8880,7 @@ spec: - mountPath: /etc/db name: db-pass - args: - - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth + - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets command: - /bin/sh - -c @@ -8887,10 +8895,18 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + - mountPath: /etc/scratch + name: scratch + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyteadmin volumes: - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config-29g4dtt8tc name: config-volume @@ -8934,6 +8950,9 @@ spec: volumeMounts: - mountPath: /srv/flyte name: shared-data + securityContext: + fsGroupChangePolicy: Always + runAsUser: 1000 volumes: - emptyDir: {} name: shared-data @@ -8986,6 +9005,10 @@ spec: name: config-volume - mountPath: /etc/secrets/ name: auth + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flytepropeller volumes: - configMap: diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index f53a52c025..1524ce2db7 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -1471,6 +1471,9 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "Always" containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0" imagePullPolicy: "IfNotPresent" @@ -1528,6 +1531,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - datacatalog @@ -1614,6 +1621,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller @@ -1681,6 +1692,10 @@ spec: annotations: configChecksum: "f0f56517059d2ab9e6397a7c55ccb4bfbfaa54bf5662902582c768494539b44" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/deployment/gcp/flyte_core_helm_generated.yaml b/deployment/gcp/flyte_core_helm_generated.yaml index e7709a9ce6..e842167e27 100644 --- a/deployment/gcp/flyte_core_helm_generated.yaml +++ b/deployment/gcp/flyte_core_helm_generated.yaml @@ -764,9 +764,15 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - name: check-db-ready image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta + securityContext: + runAsUser: 0 command: - sh - -c @@ -821,11 +827,13 @@ spec: command: ["/bin/sh", "-c"] args: [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/secrets/auth", + "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] volumeMounts: - name: config-volume mountPath: /etc/flyte/config + - name: scratch + mountPath: /etc/scratch env: - name: POD_NAMESPACE valueFrom: @@ -865,6 +873,8 @@ spec: - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config name: config-volume @@ -902,6 +912,9 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "OnRootMismatch" containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0" imagePullPolicy: "IfNotPresent" @@ -952,9 +965,15 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 1001 + runAsUser: 1001 + fsGroupChangePolicy: "OnRootMismatch" initContainers: - name: check-db-ready image: postgres:10.16-alpine + securityContext: + runAsUser: 0 command: - sh - -c @@ -1033,6 +1052,10 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flytescheduler @@ -1104,6 +1127,10 @@ spec: helm.sh/chart: flyte-core-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller @@ -1164,6 +1191,10 @@ spec: annotations: configChecksum: "06fa4b4fb82a374700c8dcc5c2911b763e25eeef535488cb6166e201c0d8a1a" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/deployment/gcp/flyte_generated.yaml b/deployment/gcp/flyte_generated.yaml index 418d4b2ef5..0fea1ebe73 100644 --- a/deployment/gcp/flyte_generated.yaml +++ b/deployment/gcp/flyte_generated.yaml @@ -8705,6 +8705,10 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: datacatalog volumes: - emptyDir: {} @@ -8787,6 +8791,10 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyte-pod-webhook volumes: - configMap: @@ -8914,7 +8922,7 @@ spec: - mountPath: /etc/db name: db-pass - args: - - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth + - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets command: - /bin/sh - -c @@ -8929,10 +8937,18 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + - mountPath: /etc/scratch + name: scratch + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyteadmin volumes: - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config-7g6ctk6762 name: config-volume @@ -8976,6 +8992,9 @@ spec: volumeMounts: - mountPath: /srv/flyte name: shared-data + securityContext: + fsGroupChangePolicy: Always + runAsUser: 1000 volumes: - emptyDir: {} name: shared-data @@ -9028,6 +9047,10 @@ spec: name: config-volume - mountPath: /etc/secrets/ name: auth + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flytepropeller volumes: - configMap: diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 404e61e850..7c03e7decf 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -1055,6 +1055,9 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "Always" containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0" imagePullPolicy: "IfNotPresent" @@ -1112,9 +1115,15 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - name: check-db-ready image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta + securityContext: + runAsUser: 0 command: - sh - -c @@ -1204,6 +1213,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flytescheduler @@ -1286,6 +1299,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller @@ -1353,6 +1370,10 @@ spec: annotations: configChecksum: "e6061ecfb96415f4871fd08abec51204dec69e23cb6d8f5d89583676657de08" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/deployment/sandbox/flyte_generated.yaml b/deployment/sandbox/flyte_generated.yaml index 72bbf8e6fd..680a630866 100644 --- a/deployment/sandbox/flyte_generated.yaml +++ b/deployment/sandbox/flyte_generated.yaml @@ -2803,6 +2803,10 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: datacatalog volumes: - emptyDir: {} @@ -2888,6 +2892,10 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyte-pod-webhook volumes: - name: sample-secrets @@ -2990,6 +2998,8 @@ spec: - until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done; image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta name: check-db-ready + securityContext: + runAsUser: 999 - command: - flyteadmin - --config @@ -3037,7 +3047,7 @@ spec: - mountPath: /etc/db name: db-pass - args: - - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth + - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets command: - /bin/sh - -c @@ -3052,6 +3062,12 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + - mountPath: /etc/scratch + name: scratch + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyteadmin volumes: - configMap: @@ -3059,6 +3075,8 @@ spec: name: resource-templates - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config-dbg8dt2dgb name: config-volume @@ -3099,6 +3117,9 @@ spec: volumeMounts: - mountPath: /srv/flyte name: shared-data + securityContext: + fsGroupChangePolicy: Always + runAsUser: 1000 volumes: - emptyDir: {} name: shared-data @@ -3146,6 +3167,10 @@ spec: name: config-volume - mountPath: /etc/secrets/ name: auth + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flytepropeller volumes: - configMap: diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f4d6e4fded..5ae95e0bc2 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -3400,6 +3400,9 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "Always" containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v0.29.0" imagePullPolicy: "IfNotPresent" @@ -3450,9 +3453,15 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - name: check-db-ready image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta + securityContext: + runAsUser: 0 command: - sh - -c @@ -3531,6 +3540,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" initContainers: - command: - flytescheduler @@ -3715,6 +3728,10 @@ spec: helm.sh/chart: flyte-v0.1.10 app.kubernetes.io/managed-by: Helm spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" containers: - command: - flytepropeller @@ -3775,6 +3792,10 @@ spec: annotations: configChecksum: "75bc68f92c6e42261dbda75899da728751f494060a31ad9088def7aa8c96e53" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/deployment/test/flyte_generated.yaml b/deployment/test/flyte_generated.yaml index 679ae0e339..7c46efc116 100644 --- a/deployment/test/flyte_generated.yaml +++ b/deployment/test/flyte_generated.yaml @@ -663,6 +663,10 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: datacatalog volumes: - emptyDir: {} @@ -745,6 +749,10 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyte-pod-webhook volumes: - configMap: @@ -830,6 +838,8 @@ spec: - until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done; image: ecr.flyte.org/ubuntu/postgres:13-21.04_beta name: check-db-ready + securityContext: + runAsUser: 999 - command: - flyteadmin - --config @@ -877,7 +887,7 @@ spec: - mountPath: /etc/db name: db-pass - args: - - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth + - flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets command: - /bin/sh - -c @@ -892,6 +902,12 @@ spec: volumeMounts: - mountPath: /etc/flyte/config name: config-volume + - mountPath: /etc/scratch + name: scratch + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flyteadmin volumes: - configMap: @@ -899,6 +915,8 @@ spec: name: resource-templates - emptyDir: {} name: shared-data + - emptyDir: {} + name: scratch - configMap: name: flyte-admin-config-hc64g2ct6h name: config-volume @@ -952,6 +970,10 @@ spec: name: config-volume - mountPath: /etc/secrets/ name: auth + securityContext: + fsGroup: 65534 + fsGroupChangePolicy: Always + runAsUser: 1001 serviceAccountName: flytepropeller volumes: - configMap: diff --git a/kustomize/base/admindeployment/deployment.yaml b/kustomize/base/admindeployment/deployment.yaml index d7cb1d0436..561e449034 100644 --- a/kustomize/base/admindeployment/deployment.yaml +++ b/kustomize/base/admindeployment/deployment.yaml @@ -22,10 +22,16 @@ spec: prometheus.io/port: "10254" prometheus.io/path: "/metrics" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyteadmin volumes: - name: shared-data emptyDir: {} + - emptyDir: {} + name: scratch - name: config-volume configMap: name: flyte-admin-config @@ -99,11 +105,13 @@ spec: command: ["/bin/sh", "-c"] args: [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth", + "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/scratch/secrets", ] volumeMounts: - name: config-volume mountPath: /etc/flyte/config + - name: scratch + mountPath: /etc/scratch env: - name: POD_NAMESPACE valueFrom: diff --git a/kustomize/base/console/deployment.yaml b/kustomize/base/console/deployment.yaml index 7d0ec0a58b..0e9e440534 100644 --- a/kustomize/base/console/deployment.yaml +++ b/kustomize/base/console/deployment.yaml @@ -18,6 +18,9 @@ spec: app.kubernetes.io/name: flyteconsole app.kubernetes.io/version: 0.19.0 spec: + securityContext: + runAsUser: 1000 + fsGroupChangePolicy: "Always" volumes: - name: shared-data emptyDir: {} diff --git a/kustomize/base/datacatalog/deployment.yaml b/kustomize/base/datacatalog/deployment.yaml index ebed3d6708..22b2e37235 100644 --- a/kustomize/base/datacatalog/deployment.yaml +++ b/kustomize/base/datacatalog/deployment.yaml @@ -21,6 +21,10 @@ spec: prometheus.io/port: "10254" prometheus.io/path: "/metrics" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: datacatalog volumes: - name: shared-data diff --git a/kustomize/base/pod_webhook/deployment.yaml b/kustomize/base/pod_webhook/deployment.yaml index d1fc855349..4209031b9b 100644 --- a/kustomize/base/pod_webhook/deployment.yaml +++ b/kustomize/base/pod_webhook/deployment.yaml @@ -20,6 +20,10 @@ spec: prometheus.io/port: "10254" prometheus.io/path: "/metrics" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets diff --git a/kustomize/base/propeller/deployment.yaml b/kustomize/base/propeller/deployment.yaml index c216295b60..cfccf8fb03 100644 --- a/kustomize/base/propeller/deployment.yaml +++ b/kustomize/base/propeller/deployment.yaml @@ -21,6 +21,10 @@ spec: prometheus.io/port: "10254" prometheus.io/path: "/metrics" spec: + securityContext: + fsGroup: 65534 + runAsUser: 1001 + fsGroupChangePolicy: "Always" serviceAccountName: flytepropeller volumes: - name: config-volume diff --git a/kustomize/overlays/sandbox/flyte/admin/deployment.yaml b/kustomize/overlays/sandbox/flyte/admin/deployment.yaml index 4c8b518542..857439a6dc 100644 --- a/kustomize/overlays/sandbox/flyte/admin/deployment.yaml +++ b/kustomize/overlays/sandbox/flyte/admin/deployment.yaml @@ -19,6 +19,8 @@ spec: "until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done;", ] + securityContext: + runAsUser: 999 - name: run-migrations image: flyteadmin:v0.4.13 imagePullPolicy: IfNotPresent diff --git a/kustomize/overlays/test/flyte/admin/deployment.yaml b/kustomize/overlays/test/flyte/admin/deployment.yaml index 70db6afa6c..d0a5abfacf 100644 --- a/kustomize/overlays/test/flyte/admin/deployment.yaml +++ b/kustomize/overlays/test/flyte/admin/deployment.yaml @@ -16,6 +16,8 @@ spec: command: ['sh', '-c', 'until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done;'] + securityContext: + runAsUser: 999 - name: run-migrations image: flyteadmin:v0.4.13 imagePullPolicy: IfNotPresent