-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
option to not set runAsUser for engine #527
option to not set runAsUser for engine #527
Comments
Sorry the above is incorrect. The runAsUser is being applied on to the engine container. (FWIW we seem to have introduced this capability to support istio integration - 318a66a) |
Given that runAsUser is only being set by the cluster manager for the engine container, this doesn't seem to be a problem for cluster manager. So closing and will reopen if anyone reports otherwise. |
Am reopening this as it would be convenient to not have to set a user. Otherwise when you install seldon-core you have to know the range of available users. It doesn't affect the models but it does add complexity to deploying cluster-manager on clusters where the user range is restricted. |
Above PRs will provide a way to do this by setting
This is in line with many of the stable/* helm charts |
Cluster manager currently injects a securityContext for the engine container. But this is actually set at pod level and effectively applies a restriction to the model itself. This effectively means the user has to choose for the cluster manager a user that will work for all the models... but the models are accessing different directories so they might need different permissions.
Openshift can infer acceptable permissions (this was observed as causing awkwardness on openshift) if you don't set runAsUser so it would be good provide an option to not set the securityContext.
The text was updated successfully, but these errors were encountered: