Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added securityContext for k8s #657

Merged
merged 1 commit into from
Jun 23, 2023
Merged

Added securityContext for k8s #657

merged 1 commit into from
Jun 23, 2023

Conversation

holgerbach
Copy link
Contributor

SecurityContext needed for hardening, which you can define in your values.yaml as follows:

securityContext:
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  runAsNonRoot: true
  runAsUser: 1000

podSecurityContext:
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000

@vincentsarago
Copy link
Member

@ividito @ranchodeluxe would you be able to review this PR? 🙏

ranchodeluxe
ranchodeluxe suggested changes Jun 20, 2023
View reviewed changes
Copy link
Contributor

@ranchodeluxe ranchodeluxe left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this looks good @holgerbach thanks for adding those changes 💯 A couple things:

  1. can you add securityContext: {} and podSecurityContext: {} as defaults to the values.yml please so this doesn't create empty blocks
  2. And please bump the patch number of the chart version https://github.com/developmentseed/titiler/blob/main/deployment/k8s/charts/Chart.yaml#L5 (similar to how this PR did)

@ranchodeluxe
Copy link
Contributor

@holgerbach: I see your previous commit added an empty {} but then you changed your mind.

I don't think most folks will want to use securityContext: by default. Do you mind changing it back to {} as the default?

@ranchodeluxe ranchodeluxe self-requested a review June 22, 2023 13:12
ranchodeluxe
ranchodeluxe approved these changes Jun 22, 2023
View reviewed changes
Copy link
Contributor

@ranchodeluxe ranchodeluxe left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@holgerbach: LGTM now though it seems there's a merge conflict to be resolved around Chart.yml version. Once that's fixed go ahead and merge please.

Note for future us: we'll probably want CI to automatically bump Chart versions for us in the future

@holgerbach holgerbach closed this Jun 23, 2023
@holgerbach holgerbach reopened this Jun 23, 2023
@vincentsarago vincentsarago merged commit 047453f into developmentseed:main Jun 23, 2023
ofirmakmal pushed a commit to edgybees/titiler that referenced this pull request Jun 28, 2023
@holgerbach @ofirmakmal
Security contexts for k8s (developmentseed#657)
386cba9
MattBialas added a commit to Element84/titiler-mosaicjson that referenced this pull request Jul 31, 2023
@MattBialas @vincentsarago
@ofirmakmal @ranchodeluxe @holgerbach @abhemanyus @dvd3v
Merge from upstream 0.12.0 (#7)
30aed0d 
* use titiler custom JSONResponse to handle NaN values (developmentseed#659)

* Added hostpath, imagepullsecret and termination grace priod support.

* Version bump

* Security contexts for k8s (developmentseed#657)

* Fix pydantic to last working version (developmentseed#663)

Pydantic underwent a major API change in June-July 2023, from v1 to v2.

* sketch use of Annotated types (developmentseed#612)

* sketch use of Annotated types

* fix

* fix2

* full round of annotations

* more annotations

* update dependencies

* update changelog

* Fix errors in extension example docs (developmentseed#665)

* fixed custom extension docs

* fixed example in extensions readme

---------

Co-authored-by: Darell van der Voort <darellvdv@vidaX.local>

* fix expression case

* update morecantile, rio-tiler and cogeo-mosaic versions (developmentseed#664)

* update morecantile and rio-tiler versions

* update statistics methods

* update extensions

* update cogeo-mosaic

* remove mercantile

* add boto3

* fix mosaic deps

* fix and test algo

* name

* update jsonschema version

* more mosaic tests

* update stac extension

* update changelog

* remove deleted docs

* release date

* Bump version: 0.11.7 → 0.12.0

* Fixing test failures

---------

Co-authored-by: Vincent Sarago <vincent.sarago@gmail.com>
Co-authored-by: Ofir Makmal <ofir@edgybees.com>
Co-authored-by: Ofir Makmal <ofir.makmal@gmail.com>
Co-authored-by: sudobangbang <gregcorradini@gmail.com>
Co-authored-by: holgerbach <132660929+holgerbach@users.noreply.github.com>
Co-authored-by: Abhemanyu Sarin <86159004+abhemanyus@users.noreply.github.com>
Co-authored-by: d <darellvdv@gmail.com>
Co-authored-by: Darell van der Voort <darellvdv@vidaX.local>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ranchodeluxe ranchodeluxe ranchodeluxe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@holgerbach @vincentsarago @ranchodeluxe