change security context to container level to allow working well with…

… istio
SeldonIO · Jul 9, 2018 · 318a66a · 318a66a
1 parent 95367b0
commit 318a66a
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 34 deletions.
diff --git a/cluster-manager/src/main/java/io/seldon/clustermanager/k8s/SeldonDeploymentOperatorImpl.java b/cluster-manager/src/main/java/io/seldon/clustermanager/k8s/SeldonDeploymentOperatorImpl.java
@@ -45,9 +45,9 @@
 import io.kubernetes.client.proto.V1.HTTPGetAction;
 import io.kubernetes.client.proto.V1.Handler;
 import io.kubernetes.client.proto.V1.Lifecycle;
-import io.kubernetes.client.proto.V1.PodSecurityContext;
 import io.kubernetes.client.proto.V1.PodTemplateSpec;
 import io.kubernetes.client.proto.V1.Probe;
+import io.kubernetes.client.proto.V1.SecurityContext;
 import io.kubernetes.client.proto.V1.Service;
 import io.kubernetes.client.proto.V1.ServicePort;
 import io.kubernetes.client.proto.V1.ServiceSpec;
@@ -110,6 +110,7 @@ private V1.Container createEngineContainer(SeldonDeployment dep,PredictorSpec pr
 			.addPorts(V1.ContainerPort.newBuilder().setContainerPort(clusterManagerProperites.getEngineContainerPort()))
 			.addPorts(V1.ContainerPort.newBuilder().setContainerPort(8082).setName("admin"))
 			.addPorts(V1.ContainerPort.newBuilder().setContainerPort(9090).setName("jmx"))
+			.setSecurityContext(SecurityContext.newBuilder().setRunAsUser(8888).build())
 			.setReadinessProbe(Probe.newBuilder().setHandler(Handler.newBuilder()
 					.setHttpGet(HTTPGetAction.newBuilder().setPort(IntOrString.newBuilder().setType(1).setStrVal("admin")).setPath("/ready")))
 					.setInitialDelaySeconds(10)
@@ -532,7 +533,6 @@ public DeploymentResources createResources(SeldonDeployment mlDep) throws Seldon
 				PodTemplateSpec.Builder podSpecBuilder = PodTemplateSpec.newBuilder();
 				podSpecBuilder.getSpecBuilder()
 		    	.addContainers(createEngineContainer(mlDep,p))
-		    	.setSecurityContext(PodSecurityContext.newBuilder().setRunAsUser(8888).build())
 		    	.setTerminationGracePeriodSeconds(20);
 
 				String depName = getSeldonServiceName(mlDep,p,"svc-orch");

diff --git a/examples/istio/canary_update/canary.ipynb b/examples/istio/canary_update/canary.ipynb
@@ -65,7 +65,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "%env ZONE=europe-west1-d"
+    "%env ZONE=europe-west1-c"
    ]
   },
   {
@@ -74,7 +74,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "%env PROJECT=my-project"
+    "%env PROJECT=seldon-deploy"
    ]
   },
   {
@@ -90,7 +90,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "gcloud container clusters describe cluster-istio-1 --zone ${ZONE} --project ${PROJECT} | grep -e clusterIpv4Cidr -e servicesIpv4Cidr"
+    "!gcloud container clusters describe cluster-istio-1 --zone ${ZONE} --project ${PROJECT} | grep -e clusterIpv4Cidr -e servicesIpv4Cidr"
    ]
   },
   {
@@ -145,7 +145,7 @@
    "outputs": [],
    "source": [
     "!helm install ${ISTIO_HOME}/install/kubernetes/helm/istio --name istio --namespace istio-system \\\n",
-    "    --set global.proxy.includeIPRanges=\"10.20.0.0/14\\,10.23.240.0/20\""
+    "    --set global.proxy.includeIPRanges=\"110.64.0.0/14\\,10.67.240.0/20\""
    ]
   },
   {
@@ -190,18 +190,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "!kubectl apply -f ../../../notebooks/resources/ambassador-rbac.yaml -n seldon"
-   ]
-  },
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "To send requests to Ambassador ingress:\n",
-    "    \n",
-    "```\n",
-    "kubectl port-forward $(kubectl get pods -n seldon -l service=ambaador -o jsonpath='{.items[0].metadata.name}') -n seldon 8002:80\n",
-    "```"
+    "!helm install ../../../helm-charts/seldon-core-crd --name seldon-core-crd"
    ]
   },
   {
@@ -210,16 +199,18 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "!helm install ../../../helm-charts/seldon-core-crd --name seldon-core-crd"
+    "!helm install ../../../helm-charts/seldon-core --name seldon-core --namespace seldon --set ambassador.enabled=true"
    ]
   },
   {
-   "cell_type": "code",
-   "execution_count": null,
+   "cell_type": "markdown",
    "metadata": {},
-   "outputs": [],
    "source": [
-    "!helm install ../../../helm-charts/seldon-core --name seldon-core --namespace seldon"
+    "To send requests to Ambassador ingress:\n",
+    "    \n",
+    "```\n",
+    "kubectl port-forward $(kubectl get pods -n seldon -l service=ambassador -o jsonpath='{.items[0].metadata.name}') -n seldon 8002:8080\n",
+    "```"
    ]
   },
   {
@@ -265,13 +256,6 @@
     "!kubectl config set-context $(kubectl config current-context) --namespace=seldon"
    ]
   },
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Launch Version 1 Model"
-   ]
-  },
   {
    "cell_type": "code",
    "execution_count": null,
@@ -283,6 +267,13 @@
     "mnist = utils.download_mnist()"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Launch Version 1 Model"
+   ]
+  },
   {
    "cell_type": "code",
    "execution_count": null,
@@ -489,6 +480,22 @@
    "source": [
     "!istioctl replace -f istio_canary_v3.yaml"
    ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "utils.predict_rest_mnist(mnist,\"mnist-classifier\")"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": []
   }
  ],
  "metadata": {

diff --git a/helm-charts/seldon-core/templates/apife-deployment.yaml b/helm-charts/seldon-core/templates/apife-deployment.yaml
@@ -39,6 +39,8 @@ spec:
         image: {{ .Values.apife.image.name }}
         imagePullPolicy: {{ .Values.apife.image.pull_policy }}
         name: seldon-apiserver-container
+        securityContext:
+          runAsUser: 8888
         ports:
         - containerPort: 8080
           protocol: TCP
@@ -48,8 +50,6 @@ spec:
 {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ .Values.rbac.service_account.name }}
 {{- end }}
-      securityContext:
-        runAsUser: 8888
       terminationGracePeriodSeconds: 30
 ---
 apiVersion: v1

diff --git a/helm-charts/seldon-core/templates/cluster-manager-deployment.yaml b/helm-charts/seldon-core/templates/cluster-manager-deployment.yaml
@@ -23,8 +23,6 @@ spec:
 {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ .Values.rbac.service_account.name }}
 {{- end }}
-      securityContext:
-        runAsUser: 8888
       containers:
       - env:
         - name: JAVA_OPTS
@@ -43,6 +41,8 @@ spec:
         image: {{ .Values.cluster_manager.image.name }}
         imagePullPolicy: {{ .Values.cluster_manager.image.pull_policy }}
         name: seldon-cluster-manager-container
+        securityContext:
+          runAsUser: 8888
         ports:
         - containerPort: 8080
           protocol: TCP