New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default user ID is always set to 8888 #2142
Comments
@adriangonz I have a base python image that has USER set to While wrapping my model using I was able to build the image and serve locally but everytime I used it in a After a whole lot of debugging, I found out that in the I am using this example deep-mnist.json as reference Can you please share an example showing how to specify security context explicitly in a SeldonDeployment ? In my case, I have to run as 1000. |
You can add a securityContext to your container, e.g.:
|
I looked at using I therefore plan to just update the docs with above example to show how you can set the defualt userid glocally or at the image level. |
Thanks for looking into this @cliveseldon. I agree that changing the user ID in s2i is probably a bit of a pain. Updating the docs sounds good! |
Describe the bug
Since
1.2
, the Seldon Core operator will always inject by default asecurityContext
at the pod level which runs every container as user8888
. This is in line with OpenShift's best practices. The user can always change the default user ID through thedefaultUserID
property of Seldon Core's Helm chart, or by overriding thesecurityContext
at the container level.Seldon Core's images (i.e. executor and Python wrapper) will always run with this user. However when using a custom Docker image the user ID could change, in which case the user would run into permissions problems.
We should document this change, how it can affect the user and how to change it. Alternatively, we could always set the
defaultUserID
to empty and start using therunAsNonRoot
field. I.e. injecting the followingsecurityContext
by default:That would mean that containers can only be ran as non-root users (unless overriden), and that K8s will use the user ID in the Docker's image metadata.
To reproduce
SeldonDeployment
using SC 1.2.securityContext
withrunAsUser: 8888
.Expected behaviour
We should make it clear to the user that containers will run by default as user
8888
. Alternatively, we should change the operator so that it doesn't enforce a particular user ID and instead uses the container's user from the image's metadata (the default if you don't specify arunAsUser
).Environment
The text was updated successfully, but these errors were encountered: