Skip to content

Commit 33ea0f5

Browse files
tchughesivtchughesiv
authored
fix: Operator - support securityContext override at Pod level (#5325)
Signed-off-by: Tommy Hughes <tohughes@redhat.com>
1 parent ce3be6d commit 33ea0f5

File tree

8 files changed

+558
-3
lines changed

8 files changed

+558
-3
lines changed

infra/feast-operator/api/v1alpha1/featurestore_types.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,7 @@ type FeatureStoreServices struct {
278278
// Creates a UI server container
279279
UI *ServerConfigs `json:"ui,omitempty"`
280280
DeploymentStrategy *appsv1.DeploymentStrategy `json:"deploymentStrategy,omitempty"`
281+
SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
281282
// Disable the 'feast repo initialization' initContainer
282283
DisableInitContainers bool `json:"disableInitContainers,omitempty"`
283284
// Volumes specifies the volumes to mount in the FeatureStore deployment. A corresponding `VolumeMount` should be added to whichever feast service(s) require access to said volume(s).

infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml

Lines changed: 264 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2125,6 +2125,137 @@ spec:
21252125
x-kubernetes-validations:
21262126
- message: One selection required.
21272127
rule: '[has(self.local), has(self.remote)].exists_one(c, c)'
2128+
securityContext:
2129+
description: PodSecurityContext holds pod-level security attributes
2130+
and common container settings.
2131+
properties:
2132+
appArmorProfile:
2133+
description: appArmorProfile is the AppArmor options to use
2134+
by the containers in this pod.
2135+
properties:
2136+
localhostProfile:
2137+
description: localhostProfile indicates a profile loaded
2138+
on the node that should be used.
2139+
type: string
2140+
type:
2141+
description: type indicates which kind of AppArmor profile
2142+
will be applied.
2143+
type: string
2144+
required:
2145+
- type
2146+
type: object
2147+
fsGroup:
2148+
description: A special supplemental group that applies to
2149+
all containers in a pod.
2150+
format: int64
2151+
type: integer
2152+
fsGroupChangePolicy:
2153+
description: |-
2154+
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
2155+
before being exposed inside Pod.
2156+
type: string
2157+
runAsGroup:
2158+
description: |-
2159+
The GID to run the entrypoint of the container process.
2160+
Uses runtime default if unset.
2161+
format: int64
2162+
type: integer
2163+
runAsNonRoot:
2164+
description: Indicates that the container must run as a non-root
2165+
user.
2166+
type: boolean
2167+
runAsUser:
2168+
description: |-
2169+
The UID to run the entrypoint of the container process.
2170+
Defaults to user specified in image metadata if unspecified.
2171+
format: int64
2172+
type: integer
2173+
seLinuxOptions:
2174+
description: The SELinux context to be applied to all containers.
2175+
properties:
2176+
level:
2177+
description: Level is SELinux level label that applies
2178+
to the container.
2179+
type: string
2180+
role:
2181+
description: Role is a SELinux role label that applies
2182+
to the container.
2183+
type: string
2184+
type:
2185+
description: Type is a SELinux type label that applies
2186+
to the container.
2187+
type: string
2188+
user:
2189+
description: User is a SELinux user label that applies
2190+
to the container.
2191+
type: string
2192+
type: object
2193+
seccompProfile:
2194+
description: |-
2195+
The seccomp options to use by the containers in this pod.
2196+
Note that this field cannot be set when spec.os.
2197+
properties:
2198+
localhostProfile:
2199+
description: localhostProfile indicates a profile defined
2200+
in a file on the node should be used.
2201+
type: string
2202+
type:
2203+
description: type indicates which kind of seccomp profile
2204+
will be applied.
2205+
type: string
2206+
required:
2207+
- type
2208+
type: object
2209+
supplementalGroups:
2210+
description: |-
2211+
A list of groups applied to the first process run in each container, in addition
2212+
to the container's primary GID, the fsG
2213+
items:
2214+
format: int64
2215+
type: integer
2216+
type: array
2217+
x-kubernetes-list-type: atomic
2218+
sysctls:
2219+
description: Sysctls hold a list of namespaced sysctls used
2220+
for the pod.
2221+
items:
2222+
description: Sysctl defines a kernel parameter to be set
2223+
properties:
2224+
name:
2225+
description: Name of a property to set
2226+
type: string
2227+
value:
2228+
description: Value of a property to set
2229+
type: string
2230+
required:
2231+
- name
2232+
- value
2233+
type: object
2234+
type: array
2235+
x-kubernetes-list-type: atomic
2236+
windowsOptions:
2237+
description: The Windows specific settings applied to all
2238+
containers.
2239+
properties:
2240+
gmsaCredentialSpec:
2241+
description: |-
2242+
GMSACredentialSpec is where the GMSA admission webhook
2243+
(https://github.
2244+
type: string
2245+
gmsaCredentialSpecName:
2246+
description: GMSACredentialSpecName is the name of the
2247+
GMSA credential spec to use.
2248+
type: string
2249+
hostProcess:
2250+
description: HostProcess determines if a container should
2251+
be run as a 'Host Process' container.
2252+
type: boolean
2253+
runAsUserName:
2254+
description: The UserName in Windows to run the entrypoint
2255+
of the container process.
2256+
type: string
2257+
type: object
2258+
type: object
21282259
ui:
21292260
description: Creates a UI server container
21302261
properties:
@@ -5975,6 +6106,139 @@ spec:
59756106
- message: One selection required.
59766107
rule: '[has(self.local), has(self.remote)].exists_one(c,
59776108
c)'
6109+
securityContext:
6110+
description: PodSecurityContext holds pod-level security attributes
6111+
and common container settings.
6112+
properties:
6113+
appArmorProfile:
6114+
description: appArmorProfile is the AppArmor options to
6115+
use by the containers in this pod.
6116+
properties:
6117+
localhostProfile:
6118+
description: localhostProfile indicates a profile
6119+
loaded on the node that should be used.
6120+
type: string
6121+
type:
6122+
description: type indicates which kind of AppArmor
6123+
profile will be applied.
6124+
type: string
6125+
required:
6126+
- type
6127+
type: object
6128+
fsGroup:
6129+
description: A special supplemental group that applies
6130+
to all containers in a pod.
6131+
format: int64
6132+
type: integer
6133+
fsGroupChangePolicy:
6134+
description: |-
6135+
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
6136+
before being exposed inside Pod.
6137+
type: string
6138+
runAsGroup:
6139+
description: |-
6140+
The GID to run the entrypoint of the container process.
6141+
Uses runtime default if unset.
6142+
format: int64
6143+
type: integer
6144+
runAsNonRoot:
6145+
description: Indicates that the container must run as
6146+
a non-root user.
6147+
type: boolean
6148+
runAsUser:
6149+
description: |-
6150+
The UID to run the entrypoint of the container process.
6151+
Defaults to user specified in image metadata if unspecified.
6152+
format: int64
6153+
type: integer
6154+
seLinuxOptions:
6155+
description: The SELinux context to be applied to all
6156+
containers.
6157+
properties:
6158+
level:
6159+
description: Level is SELinux level label that applies
6160+
to the container.
6161+
type: string
6162+
role:
6163+
description: Role is a SELinux role label that applies
6164+
to the container.
6165+
type: string
6166+
type:
6167+
description: Type is a SELinux type label that applies
6168+
to the container.
6169+
type: string
6170+
user:
6171+
description: User is a SELinux user label that applies
6172+
to the container.
6173+
type: string
6174+
type: object
6175+
seccompProfile:
6176+
description: |-
6177+
The seccomp options to use by the containers in this pod.
6178+
Note that this field cannot be set when spec.os.
6179+
properties:
6180+
localhostProfile:
6181+
description: localhostProfile indicates a profile
6182+
defined in a file on the node should be used.
6183+
type: string
6184+
type:
6185+
description: type indicates which kind of seccomp
6186+
profile will be applied.
6187+
type: string
6188+
required:
6189+
- type
6190+
type: object
6191+
supplementalGroups:
6192+
description: |-
6193+
A list of groups applied to the first process run in each container, in addition
6194+
to the container's primary GID, the fsG
6195+
items:
6196+
format: int64
6197+
type: integer
6198+
type: array
6199+
x-kubernetes-list-type: atomic
6200+
sysctls:
6201+
description: Sysctls hold a list of namespaced sysctls
6202+
used for the pod.
6203+
items:
6204+
description: Sysctl defines a kernel parameter to be
6205+
set
6206+
properties:
6207+
name:
6208+
description: Name of a property to set
6209+
type: string
6210+
value:
6211+
description: Value of a property to set
6212+
type: string
6213+
required:
6214+
- name
6215+
- value
6216+
type: object
6217+
type: array
6218+
x-kubernetes-list-type: atomic
6219+
windowsOptions:
6220+
description: The Windows specific settings applied to
6221+
all containers.
6222+
properties:
6223+
gmsaCredentialSpec:
6224+
description: |-
6225+
GMSACredentialSpec is where the GMSA admission webhook
6226+
(https://github.
6227+
type: string
6228+
gmsaCredentialSpecName:
6229+
description: GMSACredentialSpecName is the name of
6230+
the GMSA credential spec to use.
6231+
type: string
6232+
hostProcess:
6233+
description: HostProcess determines if a container
6234+
should be run as a 'Host Process' container.
6235+
type: boolean
6236+
runAsUserName:
6237+
description: The UserName in Windows to run the entrypoint
6238+
of the container process.
6239+
type: string
6240+
type: object
6241+
type: object
59786242
ui:
59796243
description: Creates a UI server container
59806244
properties:

0 commit comments

Comments
 (0)