Skip to content

feat: Make security context configurable by environment variables#788

Merged
google-oss-prow[bot] merged 8 commits into
kubeflow:mainfrom
jesuino:RHOAIENG-61579
May 26, 2026
Merged

feat: Make security context configurable by environment variables#788
google-oss-prow[bot] merged 8 commits into
kubeflow:mainfrom
jesuino:RHOAIENG-61579

Conversation

@jesuino

@jesuino jesuino commented May 8, 2026

Copy link
Copy Markdown
Contributor

In this change we add Security Context configuration as a Jupyter Configuration and environment variables:

Source Settings
JupyterLab Settings Settings > Advanced Settings Editor > Kale
Environment Variables KALE_SECURITY_CONTEXT_ENABLED, KALE_SECURITY_CONTEXT_RUN_AS_USER, KALE_SECURITY_CONTEXT_RUN_AS_GROUP, KALE_SECURITY_CONTEXT_RUN_AS_NON_ROOT

Precedence: JupyterLab settings → env vars → defaults (enabled=true, run_as_user=65534, run_as_group=0, run_as_non_root=true)

This is how it looks like from Jupyter Lab settings:

image

A video showing it in action:

Screencast.From.2026-05-08.14-43-24.mp4

This change was co-authored by Claude

Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>

@ada333 ada333 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jesuino looks good on the first look, could you please fix the tests?

jesuino added 2 commits May 11, 2026 09:52
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>

@ada333 ada333 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jesuino thanks for working on this! I have 2 comments - one is just code duplicity, the other is about functionality which I found when testing this PR (I hope I did not test it wrong)

Comment thread kale/pipeline.py
Can be configured via JupyterLab settings or ``KALE_*`` environment variables.
"""

enabled = Field(type=bool, default=True)

This comment was marked as resolved.

Comment thread kale/pipeline.py Outdated
# Metadata exists but may be incomplete - env vars fill in missing
for key, value in env_config.items():
current = getattr(self.security_context, key, None)
if current is None:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this and I believe the env vars in UI are never applied because security_context is always set to default values (from either settings default or widget default

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for finding this, you are right - I did refactor the code to make it sure that the env var is respected - please let me know if it works for you.

Thanks!

Comment thread kale/common/utils.py Outdated
KALE_SECURITY_CONTEXT_ENABLED:
Boolean-like flag (1/true/yes/on) to enable/disable security context.
KALE_SECURITY_CONTEXT_RUN_AS_USER:
Integer UID to run containers as.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small update to documentation - on this line and in the next section, could you please clarify... to run containers as what?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed, thank you

@hmtosi

hmtosi commented May 13, 2026

Copy link
Copy Markdown
Contributor

Closes #781

Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
@jesuino

jesuino commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

I am fixing an issue with the UI/Backend sync

/hold

Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
@jesuino

jesuino commented May 18, 2026

Copy link
Copy Markdown
Contributor Author

/unhold

@jesuino

jesuino commented May 18, 2026

Copy link
Copy Markdown
Contributor Author

@hmtosi @ada333 The PR is ready for review!

@hmtosi hmtosi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@jesuino thank you for this work, the code looks good to me. I did the following tests:

  1. build kale and run it without adjusting security context - successful run, yaml includes security context
  2. use settings menu and disable security context - successful run, yaml doesn't include security context (shows that settings correctly control security context)
  3. use settings menu and reenable security context - successful run, yaml includes security context
  4. open local kale-settings.jupyterlab-settings file and delete security context, export KALE_SECURITY_CONTEXT_ENABLED=False - successful run, doesn't include security context (this shows that the env vars also correctly control security context)

Signed-off-by: William Siqueira <william.fatecsjc@gmail.com>
@google-oss-prow google-oss-prow Bot removed the lgtm label May 21, 2026

@ederign ederign left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

William, some comments:

  • Looks like there is a circular import between utils.py and pipeline.py**;
  • No error handling for invalid integer env vars i nsecurity_context.run_as_user = int(run_as_user
  • In widget.tsx, when jlSecurityContextSetting.user === undefined, backend env var defaults are written to the JupyterLab settings store via `loadedSetting.set(...)

Would mind to take a look on it?

@jesuino

jesuino commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

@ederign

Thanks for the feedback.

In widget.tsx, when jlSecurityContextSetting.user === undefined, backend env var defaults are written to the JupyterLab settings store via `loadedSetting.set(...)

Thanks for pointing this. We have to override the user values, otherwise the UI will not reflect the values in env vars. I did some research of alternative values, but still I could not find a feasible way to do this. In fact, Claude is saying that it is not possible:

this will always show schema defaults. That's the tradeoff - we can't change what the Settings UI shows without writing to user settings.

So I think we should keep this approach and document it? Or we can ignore the env var on the user settings and show the default values.

The other points were addressed, thanks!

@google-oss-prow google-oss-prow Bot added the lgtm label May 26, 2026
@ederign

ederign commented May 26, 2026

Copy link
Copy Markdown
Member

/approve
/lgtm

@google-oss-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ederign

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow
google-oss-prow Bot merged commit c12b65c into kubeflow:main May 26, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants