feat: Make security context configurable by environment variables#788
Conversation
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
| Can be configured via JupyterLab settings or ``KALE_*`` environment variables. | ||
| """ | ||
|
|
||
| enabled = Field(type=bool, default=True) |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| # Metadata exists but may be incomplete - env vars fill in missing | ||
| for key, value in env_config.items(): | ||
| current = getattr(self.security_context, key, None) | ||
| if current is None: |
There was a problem hiding this comment.
I tested this and I believe the env vars in UI are never applied because security_context is always set to default values (from either settings default or widget default
There was a problem hiding this comment.
Thank you for finding this, you are right - I did refactor the code to make it sure that the env var is respected - please let me know if it works for you.
Thanks!
| KALE_SECURITY_CONTEXT_ENABLED: | ||
| Boolean-like flag (1/true/yes/on) to enable/disable security context. | ||
| KALE_SECURITY_CONTEXT_RUN_AS_USER: | ||
| Integer UID to run containers as. |
There was a problem hiding this comment.
small update to documentation - on this line and in the next section, could you please clarify... to run containers as what?
|
Closes #781 |
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
|
I am fixing an issue with the UI/Backend sync /hold |
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
|
/unhold |
hmtosi
left a comment
There was a problem hiding this comment.
/lgtm
@jesuino thank you for this work, the code looks good to me. I did the following tests:
- build kale and run it without adjusting security context - successful run, yaml includes security context
- use settings menu and disable security context - successful run, yaml doesn't include security context (shows that settings correctly control security context)
- use settings menu and reenable security context - successful run, yaml includes security context
- open local
kale-settings.jupyterlab-settingsfile and delete security context, exportKALE_SECURITY_CONTEXT_ENABLED=False- successful run, doesn't include security context (this shows that the env vars also correctly control security context)
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
ederign
left a comment
There was a problem hiding this comment.
William, some comments:
- Looks like there is a circular import between
utils.pyandpipeline.py**; - No error handling for invalid integer env vars i nsecurity_context.run_as_user = int(run_as_user
- In
widget.tsx, whenjlSecurityContextSetting.user === undefined, backend env var defaults are written to the JupyterLab settings store via `loadedSetting.set(...)
Would mind to take a look on it?
|
Thanks for the feedback.
Thanks for pointing this. We have to override the user values, otherwise the UI will not reflect the values in env vars. I did some research of alternative values, but still I could not find a feasible way to do this. In fact, Claude is saying that it is not possible: So I think we should keep this approach and document it? Or we can ignore the env var on the user settings and show the default values. The other points were addressed, thanks! |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ederign The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
In this change we add Security Context configuration as a Jupyter Configuration and environment variables:
Precedence: JupyterLab settings → env vars → defaults (enabled=true, run_as_user=65534, run_as_group=0, run_as_non_root=true)
This is how it looks like from Jupyter Lab settings:
A video showing it in action:
Screencast.From.2026-05-08.14-43-24.mp4
This change was co-authored by Claude