option to not set runAsUser for engine

[ryandawsonuk]

Cluster manager currently injects a securityContext for the engine container. But this is actually set at pod level and effectively applies a restriction to the model itself. This effectively means the user has to choose for the cluster manager a user that will work for all the models... but the models are accessing different directories so they might need different permissions.

Openshift can infer acceptable permissions (this was observed as causing awkwardness on openshift) if you don't set runAsUser so it would be good provide an option to not set the securityContext.

[ryandawsonuk]

Sorry the above is incorrect. The runAsUser is being applied on to the engine container.

(FWIW we seem to have introduced this capability to support istio integration - 318a66a)

[ryandawsonuk]

Given that runAsUser is only being set by the cluster manager for the engine container, this doesn't seem to be a problem for cluster manager. So closing and will reopen if anyone reports otherwise.

[ryandawsonuk]

Am reopening this as it would be convenient to not have to set a user. Otherwise when you install seldon-core you have to know the range of available users.

It doesn't affect the models but it does add complexity to deploying cluster-manager on clusters where the user range is restricted.

[ryandawsonuk]

Above PRs will provide a way to do this by setting --set engine.securityContext.enabled=false on the operator. So:

helm install seldon-core-operator --name seldon-core --repo https://storage.googleapis.com/seldon-charts --set engine.securityContext.enabled=false

This is in line with many of the stable/* helm charts