New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a security context to run as non-root user. #1799
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there: https://discourse.jupyter.org/t/restricted-psp-z2jh-fails-in-local-gitlab-oauth-workflow/6202/5 |
@@ -47,4 +47,6 @@ spec: | |||
image: {{ .Values.prePuller.pause.image.name }}:{{ .Values.prePuller.pause.image.tag }} | |||
resources: | |||
{{- include "jupyterhub.resources" . | nindent 12 }} | |||
securityContext: | |||
runAsUser: 1000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a podSecurityContext, which can influence sidecar containers for example from istio
which I've seen can lead to issues before, so I think we should set it on the container level only influencing the containers we actually manage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this does make sense. Adding it as a podSecurityContext
seems better than for the entire deployment. Maybe we can add the runAsGroup
parameter as well to ensure that any changes to the image does not affect us in the future?
The indentation in the code above seems to miss a tab, I think it should be as follows:
image: {{ .Values.prePuller.pause.image.name }}:{{ .Values.prePuller.pause.image.tag }}
resources:
{{- include "jupyterhub.resources" . | nindent 12 }}
securityContext:
runAsGroup: 1000
runAsUser: 1000
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello Everyone,
As discussed on the forum with @manics, raising a PR for fixing the security context of the
user-placeholder
pods.This is my first of many (hopefully) PR on an OSS project. Do let me know in case I missed something.
Regards,
Nachiket