This repository has been archived by the owner on Oct 26, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds support for running in Istio environments (#21)
* adds istio sidecar ready/quit logic to crd commands this may be the wrong place to put this logic. ideally, istio fixes their shit and we no longer have to (a) wait for the sidecar to be ready and (b) send an envoy quit signal after a job pod is done. alas, this is not the case right now and wrapping this logic around the actual command will require us to migrate off of a "distroless" base docker image. poop or vomit? pick one. * modifies helm chart - adds support for '--istio-enabled' crd cmd flag - adds psp use permissions to hooks - adds custom psp for operator - adds new values to control rendering * adds network policy exposed ports are health, metrics, and webhook. not sure we need to block access to these but maybe i'm wrong * disables codecov patch status check not very important yet annoying
- Loading branch information
1 parent
bd698df
commit ecc90eb
Showing
14 changed files
with
215 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,5 +4,6 @@ coverage: | |
default: | ||
target: 75% | ||
threshold: 5% | ||
patch: off | ||
ignore: | ||
- "api/**/zz_generated.deepcopy.go" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
deploy/helm/distributed-compute-operator/templates/networkpolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- if .Values.networkPolicy.enabled }} | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: {{ include "common.names.fullname" . }} | ||
labels: | ||
{{- include "common.labels.standard" . | nindent 4 }} | ||
spec: | ||
podSelector: | ||
matchLabels: | ||
{{- include "common.labels.matchLabels" . | nindent 6 }} | ||
policyTypes: | ||
- Ingress | ||
ingress: | ||
- ports: | ||
- port: 9443 | ||
protocol: TCP | ||
- port: {{ .Values.config.healthProbePort }} | ||
protocol: TCP | ||
- port: {{ .Values.config.metricsPort }} | ||
protocol: TCP | ||
{{- end }} |
50 changes: 50 additions & 0 deletions
50
deploy/helm/distributed-compute-operator/templates/podsecuritypolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{{- if .Values.podSecurityPolicy.enabled }} | ||
{{- $elevatePermissions := and .Values.istio.enabled (not .Values.istio.cniPluginInstalled) -}} | ||
apiVersion: policy/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: {{ include "common.names.fullname" . }} | ||
labels: | ||
{{- include "common.labels.standard" . | nindent 4 }} | ||
annotations: | ||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' | ||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'unconfined,runtime/default' | ||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' | ||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'unconfined' | ||
spec: | ||
privileged: false | ||
allowPrivilegeEscalation: false | ||
{{- if $elevatePermissions }} | ||
allowedCapabilities: | ||
- NET_ADMIN | ||
- NET_RAW | ||
{{- else }} | ||
requiredDropCapabilities: | ||
- ALL | ||
{{- end }} | ||
volumes: | ||
- configMap | ||
- emptyDir | ||
- projected | ||
- secret | ||
- downwardAPI | ||
- persistentVolumeClaim | ||
hostNetwork: false | ||
hostIPC: false | ||
hostPID: false | ||
runAsUser: | ||
rule: {{ if $elevatePermissions }}RunAsAny{{ else }}MustRunAsNonRoot{{ end }} | ||
seLinux: | ||
rule: RunAsAny | ||
supplementalGroups: | ||
rule: MustRunAs | ||
ranges: | ||
- min: 1 | ||
max: 65535 | ||
fsGroup: | ||
rule: MustRunAs | ||
ranges: | ||
- min: 1 | ||
max: 65535 | ||
readOnlyRootFilesystem: false | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.