Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support pod securitycontext and container security context #496

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

support pod securitycontext and container security context #496

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fe8a564
support pod securitycontext and container security context
pgvishnuram May 13, 2024
7f7e424
fix test cases
pgvishnuram May 13, 2024
4511546
rename securitycontext for dag service
pgvishnuram May 13, 2024
26b3454
rename security context similar to airflow components
pgvishnuram May 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion templates/dag-deploy/dag-server-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
- name: {{ template "astro.registry_secret" . }}
{{- end }}
serviceAccountName: {{ .Release.Name }}-dag-server
securityContext: {{ toYaml .Values.dagDeploy.securityContext | nindent 8 }}
securityContext: {{ toYaml .Values.dagDeploy.podSecurityContext | nindent 8 }}
containers:
- name: dag-server
image: "{{ .Values.dagDeploy.images.dagServer.repository }}:{{ .Values.dagDeploy.images.dagServer.tag }}"
Expand All @@ -50,6 +50,7 @@ spec:
ports:
- name: server
containerPort: {{ .Values.dagDeploy.ports.dagServerHttp }}
securityContext: {{ toYaml .Values.dagDeploy.securityContext | nindent 12 }}
Copy link
Member

@danielhoherd danielhoherd May 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be containerSecurityContext ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like securityContext should apply to both pods and containers, podSecurityContext should apply to pods, and containerSecurityContext should apply to containers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we can set containerSecurityContext for better naming and we will also release a houston api changes as well for adopting new naming. should we target this release or next patch

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like we should do it on this patch because otherwise customers could put a securityContext config in place for containers, and later that becomes a global setting for pods and containers, which is probably not what they intended.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danielhoherd can we follow oss approach here

securityContexts: 
    pods: {}
    container: {}

Copy link
Member

@danielhoherd danielhoherd May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i like that, but what do they use for the lower-priority hierarchy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they have top level securityContext and then at service levels - but our use case it to allow passing securityContext when a user what to set more extensive properties at container level

Copy link
Member

@danielhoherd danielhoherd May 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should probably widen this securityContext effort out into a ticket that standardizes on a way that we will do securityContexts, describe the way we think is best to do them, and then make an effort to do that everywhere. We don't want to come up with a cool way to do this in this one feature if it is inconsistent with how we do it elsewhere, so we should be consistent with some other implementation here (maybe the airflow one) and also strive to be consistent with a default implementation everywhere. I'll open a ticket about that.

https://github.com/astronomer/issues/issues/6368

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Airflow has a pretty good securityContext design diagram in their sourcecode https://github.com/apache/airflow/blob/9dd77520be3d8492156958d57b63b5779a3f55eb/chart/templates/_helpers.yaml#L848-L880

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

those are strairght forward but we should mend our code in houston thats why we are going in selectives

resources:
{{- toYaml .Values.dagDeploy.resources | nindent 12 }}
env:
Expand Down
19 changes: 15 additions & 4 deletions tests/chart/test_dag_server_statefulset.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,18 @@ def test_dag_server_statefulset_with_resource_overrides(self, kube_version):
c_by_name = get_containers_by_name(doc)
assert c_by_name["dag-server"]["resources"] == resources

def test_dag_server_statefulset_with_securitycontext_overrides(self, kube_version):
def test_dag_server_statefulset_with_podsecuritycontext_overrides(
self, kube_version
):
"""Test that dag-server statefulset are configurable with custom securitycontext."""
dag_serversecuritycontext = {"runAsUser": 12345, "privileged": True}
dag_server_pod_securitycontext = {"runAsUser": 12345, "privileged": True}
dag_server_container_securitycontext = {"allowPrivilegeEscalation": False}
values = {
"dagDeploy": {"enabled": True, "securityContext": dag_serversecuritycontext}
"dagDeploy": {
"enabled": True,
"podSecurityContext": dag_server_pod_securitycontext,
"securityContext": dag_server_container_securitycontext,
}
}

docs = render_chart(
Expand All @@ -90,9 +97,13 @@ def test_dag_server_statefulset_with_securitycontext_overrides(self, kube_versio
assert doc["apiVersion"] == "apps/v1"
assert doc["metadata"]["name"] == "release-name-dag-server"
assert (
dag_serversecuritycontext
dag_server_pod_securitycontext
== doc["spec"]["template"]["spec"]["securityContext"]
)
assert (
dag_server_container_securitycontext
== doc["spec"]["template"]["spec"]["containers"][0]["securityContext"]
)

def test_dag_server_statefulset_with_custom_registry_secret(self, kube_version):
"""Test dag-server statefulset with custom registry secret."""
Expand Down
3 changes: 2 additions & 1 deletion values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -570,9 +570,10 @@ dagDeploy:
# when it wants to scale a node down.
safeToEvict: true

securityContext: {}
podSecurityContext: {}
# runAsUser: 999
# runAsGroup: 0
securityContext: {}

gitSyncRelay:
enabled: ~
Expand Down