From 0f363dab4f7cef79d6f29e774f26e10c6d53c37d Mon Sep 17 00:00:00 2001 From: Flamarion Jorge Date: Mon, 21 Oct 2024 17:52:43 +0200 Subject: [PATCH] Add support privileged sec context config --- charts/operator-wandb/charts/app/values.yaml | 1 + .../operator-wandb/charts/console/values.yaml | 1 + .../charts/flat-run-fields-updater/values.yaml | 1 + .../charts/otel/charts/agent/values.yaml | 1 + .../stackdriver/templates/deployment.yaml | 7 ++++--- .../charts/stackdriver/values.yaml | 18 +++++++++++++++++- .../charts/weave-trace/values.yaml | 1 + charts/operator-wandb/charts/weave/values.yaml | 1 + charts/operator-wandb/charts/yace/values.yaml | 1 + charts/operator-wandb/templates/_pods.tpl | 3 +++ 10 files changed, 31 insertions(+), 4 deletions(-) diff --git a/charts/operator-wandb/charts/app/values.yaml b/charts/operator-wandb/charts/app/values.yaml index b8c59d80..68672141 100644 --- a/charts/operator-wandb/charts/app/values.yaml +++ b/charts/operator-wandb/charts/app/values.yaml @@ -47,6 +47,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false common: labels: {} diff --git a/charts/operator-wandb/charts/console/values.yaml b/charts/operator-wandb/charts/console/values.yaml index 52215b89..e7250e5a 100644 --- a/charts/operator-wandb/charts/console/values.yaml +++ b/charts/operator-wandb/charts/console/values.yaml @@ -47,6 +47,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false service: type: ClusterIP diff --git a/charts/operator-wandb/charts/flat-run-fields-updater/values.yaml b/charts/operator-wandb/charts/flat-run-fields-updater/values.yaml index d534f7c2..f51764e8 100644 --- a/charts/operator-wandb/charts/flat-run-fields-updater/values.yaml +++ b/charts/operator-wandb/charts/flat-run-fields-updater/values.yaml @@ -43,6 +43,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false common: labels: {} diff --git a/charts/operator-wandb/charts/otel/charts/agent/values.yaml b/charts/operator-wandb/charts/otel/charts/agent/values.yaml index 6a6745e0..573c9cd9 100644 --- a/charts/operator-wandb/charts/otel/charts/agent/values.yaml +++ b/charts/operator-wandb/charts/otel/charts/agent/values.yaml @@ -49,6 +49,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false clusterRole: annotations: {} diff --git a/charts/operator-wandb/charts/stackdriver/templates/deployment.yaml b/charts/operator-wandb/charts/stackdriver/templates/deployment.yaml index 6e5ee2a4..8ca17dc9 100644 --- a/charts/operator-wandb/charts/stackdriver/templates/deployment.yaml +++ b/charts/operator-wandb/charts/stackdriver/templates/deployment.yaml @@ -32,10 +32,14 @@ spec: {{- if .Values.pod.annotations -}} {{- toYaml .Values.pod.annotations | nindent 8 }} {{- end }} + {{- include "wandb.nodeSelector" . | nindent 6 }} + {{- include "wandb.priorityClassName" . | nindent 6 }} + {{- include "wandb.podSecurityContext" .Values.pod.securityContext | nindent 6 }} spec: containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- include "wandb.containerSecurityContext" .Values.container.securityContext | nindent 10 }} command: ["stackdriver_exporter"] volumeMounts: {{- if or .Values.stackdriver.serviceAccountSecret .Values.stackdriver.serviceAccountKey }} @@ -102,9 +106,6 @@ spec: tolerations: {{- toYaml .tolerations | nindent 8 }} {{- end }} - {{- include "wandb.nodeSelector" . | nindent 6 }} - {{- include "wandb.priorityClassName" . | nindent 6 }} - {{- include "wandb.podSecurityContext" .Values.pod.securityContext | nindent 6 }} volumes: {{- if .Values.stackdriver.serviceAccountSecret }} - name: stackdriver-service-account diff --git a/charts/operator-wandb/charts/stackdriver/values.yaml b/charts/operator-wandb/charts/stackdriver/values.yaml index 4a248f93..d4c46ff1 100644 --- a/charts/operator-wandb/charts/stackdriver/values.yaml +++ b/charts/operator-wandb/charts/stackdriver/values.yaml @@ -79,10 +79,26 @@ service: annotations: {} pod: + labels: {} + annotations: {} securityContext: + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 0 fsGroup: 0 fsGroupChangePolicy: "OnRootMismatch" - labels: {} + seccompProfile: + type: "" + +container: + securityContext: + capabilities: + add: [] + drop: [] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + privileged: false + deployment: {} diff --git a/charts/operator-wandb/charts/weave-trace/values.yaml b/charts/operator-wandb/charts/weave-trace/values.yaml index b5f74edf..99ff1954 100644 --- a/charts/operator-wandb/charts/weave-trace/values.yaml +++ b/charts/operator-wandb/charts/weave-trace/values.yaml @@ -44,6 +44,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false resources: requests: diff --git a/charts/operator-wandb/charts/weave/values.yaml b/charts/operator-wandb/charts/weave/values.yaml index 6a78250e..ed51e533 100644 --- a/charts/operator-wandb/charts/weave/values.yaml +++ b/charts/operator-wandb/charts/weave/values.yaml @@ -53,6 +53,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false resources: # We usually recommend not to specify default resources and to leave this as a diff --git a/charts/operator-wandb/charts/yace/values.yaml b/charts/operator-wandb/charts/yace/values.yaml index 8ada68ea..f229e7b5 100644 --- a/charts/operator-wandb/charts/yace/values.yaml +++ b/charts/operator-wandb/charts/yace/values.yaml @@ -111,6 +111,7 @@ container: drop: [] allowPrivilegeEscalation: false readOnlyRootFilesystem: false + privileged: false deployment: {} diff --git a/charts/operator-wandb/templates/_pods.tpl b/charts/operator-wandb/templates/_pods.tpl index f0f06f16..692560ec 100644 --- a/charts/operator-wandb/templates/_pods.tpl +++ b/charts/operator-wandb/templates/_pods.tpl @@ -72,6 +72,9 @@ securityContext: {{- if hasKey $csc "runAsGroup" }} runAsGroup: {{ $csc.runAsGroup }} {{- end }} + {{- if hasKey $csc "privileged" }} + privileged: {{ $csc.privileged }} + {{- end }} {{- end }} {{- end -}}