New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pod_security_context and container_security_context config #480
Conversation
558a802
to
74ad78b
Compare
@consideRatio OK this should be ready for review. |
@cyrilcros I just saw your edit of splitting into pod_security_context and container_security_context and I like it! I suggest you let whatever is set there override for example fs_gid if there is a conflict as well. I'm not 100% my motivation for this, but I think it makes sense related to us not having defaults here yet, and if someone specifies this it is with intent. Overview of securityContext configuration and what KubeSpawner has exposed before this.Pod specific
Container specific
Common
I hope to find time to review this within a week, but my attention is too split at the moment. I should really be doing something else right now as well. Thanks for your work @cyrilcros! ❤️ |
|
b9f9786
to
c8246f8
Compare
@cyrilcros thank you for your work on this!!! :Tada:! 🥳 I'll find time to review/merge next week the latest. |
@cyrilcros I'm actively working to get this PR to get merged but I've decided to wait for #483 to get merged before I finish some parts of this PR. Is it okay that I push some commits here? |
@consideRatio Sure thing. |
They have higher priority than existing options like run_as_uid. TypeError happens if they are invalid. This can depend on current Kubernetes version installed + kubernetes-client lib support.
Instead of accepting the Python kubernetes-client's configuration, we should accept it just as if it was k8s native config.
The kubernetes-client can't be used to validate the security context resources without compromising significantly on the allowed values to be passed as the Python client is too outdated to know about modern options.
04653e1
to
2a0ffed
Compare
@cyrilcros thanks for your work on this 🎉 ❤️! I consider this ready for review/merge @minrk @manics if you have time! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor feedback on improving the error messages, but otherwise looks great to me. Thanks!
af58162
to
6b34f98
Compare
6b34f98
to
4661af8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
@cyrilcros thank you so much for your work on this!!! ❤️ 🎉 |
This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there: |
This PR adds
container_security_context
andpod_security_context
configuration options.Old vs new options
The new options
container_security_context
andpod_security_context
updates the partial security contexts built from the following older options:supplemental_gids
(pod)fs_gid
(pod)privileged
(container)allow_privilege_escalation
(container)uid
(container)gid
(container).Related
Fixes #454 - pod/container security contexts can now be configured
Related to #478 - exposes fsGroupChangePolicy through pod security context, but doesn't provide a default value.