Configure broker security context (#148)

* make udev broker security context configurable

* update version

* change group permissions to be default in example

* fix comment with group id

agent/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "agent"
-version = "0.0.42"
+version = "0.0.43"
 authors = ["Kate Goldenring <kate.goldenring@microsoft.com>", "<bfjelds@microsoft.com>"]
 edition = "2018"
 

controller/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "controller"
-version = "0.0.42"
+version = "0.0.43"
 authors = ["<bfjelds@microsoft.com>"]
 edition = "2018"
 

deployment/helm/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.42
+version: 0.0.43
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.0.42
+appVersion: 0.0.43

deployment/helm/templates/udev.yaml

@@ -31,7 +31,11 @@ spec:
         {{- end }}
       {{- end }}
       securityContext:
+      {{- if .Values.udev.brokerPod.securityContext }}
+        {{- toYaml .Values.udev.brokerPod.securityContext | nindent 8 }}
+      {{- else}}
         privileged: true
+      {{- end}}
       resources:
         limits:
           {{`"{{PLACEHOLDER}}"`}} : "1"

deployment/helm/values.yaml

@@ -197,6 +197,7 @@ udev:
       # repository is the container reference
       repository:
       pullPolicy: Always
+    securityContext: {}
   # createInstanceServices is specified if a service should automatically be
   # created for each broker pod
   createInstanceServices: true

docs/end-to-end-demo.md

@@ -97,7 +97,10 @@ carry out one or the other (or adapt to your distribution), then continue on wit
     alias kubectl='microk8s kubectl'
     alias helm='microk8s helm3'
     ```
-1. Enable privileged pods and restart microk8s.
+1. For the sake of this demo, the udev video broker pods run privileged to easily grant them access to video devices, so
+   enable privileged pods and restart MicroK8s. More explicit device access could have been configured by setting the
+   appropriate [security context](udev-configuration.md#setting-the-broker-pod-security-context) in the broker PodSpec
+   in the Configuration.
     ```sh
     echo "--allow-privileged=true" >> /var/snap/microk8s/current/args/kube-apiserver
     microk8s.stop

docs/requesting-akri-resources.md

@@ -52,8 +52,6 @@ spec:
       containers:
       - name: protocolA-broker
         image: nginx
-        securityContext:
-          privileged: true
         resources:
           limits:                        
             akri.sh/protocolA-device-<id>: "1"

docs/udev-configuration.md

@@ -136,6 +136,21 @@ Installation](./customizing-akri-installation.md) to learn how to [modify the br
 spec](./customizing-akri-installation.md#modifying-the-brokerpodspec) and [service
 specs](./customizing-akri-installation.md#modifying-instanceservicespec-or-configurationservicespec) in the Configuration.
 
+### Setting the broker Pod security context
+By default in the generic udev Configuration, the udev broker is run in privileged security context. This container
+[security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) can be customized via
+Helm. For example, to instead run all processes in the Pod with user ID 1000 and group 1000, do the following: 
+```bash
+helm repo add akri-helm-charts https://deislabs.github.io/akri/
+helm install akri akri-helm-charts/akri-dev \
+    --set useLatestContainers=true \
+    --set udev.enabled=true \
+    --set udev.udevRules[0]='SUBSYSTEM=="sound"\, ATTR{vendor}=="Great Vendor"' \
+    --set udev.brokerPod.image.repository=nginx \
+    --set udev.brokerPod.securityContext.runAsUser=1000 \
+    --set udev.brokerPod.securityContext.runAsGroup=1000
+```
+
 ## Disabling automatic service creation
 By default, the generic udev Configuration will create services for all the brokers of a specific Akri Instance and all the brokers of an Akri Configuration. Disable the create of Instance level services and Configuration level services by setting `--set udev.createInstanceServices=false` and `--set udev.createConfigurationService=false`, respectively.
 

docs/udev-video-sample.md

@@ -67,7 +67,9 @@ Now, tell the broker to stream JPEG format, 1000x800 resolution, and 30 frames p
     -f env.yaml
 ```
 
-**Note:** that udev broker pods must run as privileged in order for udev to be able to access the video device.
+**Note:** The udev video broker pods run privileged in order to access the video devices. More explicit device access
+   could have been configured by setting the appropriate [security
+   context](udev-configuration.md#setting-the-broker-pod-security-context) in the broker PodSpec in the Configuration.
 
 Reference [Customizing an Akri Installation](./customizing-akri-installation.md#modifying-the-brokerpodspec) for more examples of how the broker spec can be modified. 
 

samples/brokers/udev-video-broker/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "udev-video-broker"
-version = "0.0.42"
+version = "0.0.43"
 authors = ["Kate Goldenring <kate.goldenring@microsoft.com>", "<bfjelds@microsoft.com>"]
 edition = "2018"
 

shared/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "akri-shared"
-version = "0.0.42"
+version = "0.0.43"
 authors = ["<bfjelds@microsoft.com>"]
 edition = "2018"
 

version.txt

@@ -1 +1 @@
-0.0.42
+0.0.43