From 83cee2e25e39997e031d45dc225ace9a89384889 Mon Sep 17 00:00:00 2001 From: Paul Boyd Date: Thu, 6 Feb 2025 11:41:08 -0500 Subject: [PATCH 1/2] feat(manifests): add securityContext to deployments Set `seccompProfile`, forbid containers to run as root, and disable unnecessary system calls. This applies to: - Model registry itself - Example database (MySQL and PostgreSQL) - Model registry UI Signed-off-by: Paul Boyd --- .../base/model-registry-deployment.yaml | 16 ++++++++++++++++ .../ui/base/model-registry-ui-deployment.yaml | 9 +++++++++ .../db/model-registry-db-deployment.yaml | 11 +++++++++++ .../overlays/postgres/kustomization.yaml | 2 +- .../postgres/model-registry-db-deployment.yaml | 12 +++++++++++- 5 files changed, 48 insertions(+), 2 deletions(-) diff --git a/manifests/kustomize/base/model-registry-deployment.yaml b/manifests/kustomize/base/model-registry-deployment.yaml index 8a5bbfbf2..be6503d51 100644 --- a/manifests/kustomize/base/model-registry-deployment.yaml +++ b/manifests/kustomize/base/model-registry-deployment.yaml @@ -16,6 +16,10 @@ spec: labels: component: model-registry-server spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: rest-container args: @@ -44,6 +48,11 @@ spec: tcpSocket: port: http-api timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: grpc-container # ! Sync to the same MLMD version: # * backend/metadata_writer/requirements.in and requirements.txt @@ -102,4 +111,11 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL serviceAccountName: model-registry-server diff --git a/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml b/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml index 41e1aa456..0c051cf29 100644 --- a/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml +++ b/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml @@ -15,6 +15,10 @@ spec: app: model-registry-ui spec: serviceAccountName: model-registry-ui + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: model-registry-ui image: model-registry-ui-image @@ -51,3 +55,8 @@ spec: - containerPort: 8080 args: - "--port=8080" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml b/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml index 8303fb131..3d0affb6b 100644 --- a/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml +++ b/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml @@ -19,6 +19,10 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: db-container image: mysql:8.3.0 @@ -46,6 +50,13 @@ spec: volumeMounts: - name: metadata-mysql mountPath: /var/lib/mysql + securityContext: + runAsUser: 999 + runAsGroup: 999 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumes: - name: metadata-mysql persistentVolumeClaim: diff --git a/manifests/kustomize/overlays/postgres/kustomization.yaml b/manifests/kustomize/overlays/postgres/kustomization.yaml index e52acd8e9..8d71fc86a 100644 --- a/manifests/kustomize/overlays/postgres/kustomization.yaml +++ b/manifests/kustomize/overlays/postgres/kustomization.yaml @@ -39,7 +39,7 @@ vars: - name: POSTGRES_PORT objref: kind: ConfigMap - name: model-registry-db-parameters + name: metadata-postgres-db-parameters apiVersion: v1 fieldref: fieldpath: data.POSTGRES_PORT diff --git a/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml b/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml index 061d109e1..ab4dbc744 100644 --- a/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml +++ b/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml @@ -19,6 +19,10 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: db-container image: postgres @@ -36,8 +40,14 @@ spec: volumeMounts: - name: metadata-postgres mountPath: /var/lib/postgresql/data + securityContext: + runAsUser: 70 + runAsGroup: 70 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumes: - name: metadata-postgres persistentVolumeClaim: claimName: metadata-postgres - From 386454cfb01ed7f88b2f64f62b034cc20740e0f8 Mon Sep 17 00:00:00 2001 From: Paul Boyd Date: Fri, 7 Feb 2025 13:13:11 -0500 Subject: [PATCH 2/2] chore(manifests): rename metadata-postgres configmap and secret - Rename `metadata-postgres-db-parameters` to `metadata-registry-db-parameters` - Rename `metadata-postgres-db-secrets` to `metadata-registry-db-secrets` Signed-off-by: Paul Boyd --- manifests/kustomize/overlays/postgres/kustomization.yaml | 6 +++--- .../overlays/postgres/model-registry-db-deployment.yaml | 4 ++-- .../postgres/patches/model-registry-deployment.yaml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/manifests/kustomize/overlays/postgres/kustomization.yaml b/manifests/kustomize/overlays/postgres/kustomization.yaml index 8d71fc86a..6a3822d8b 100644 --- a/manifests/kustomize/overlays/postgres/kustomization.yaml +++ b/manifests/kustomize/overlays/postgres/kustomization.yaml @@ -13,11 +13,11 @@ patchesStrategicMerge: - patches/model-registry-deployment.yaml configMapGenerator: -- name: metadata-postgres-db-parameters +- name: metadata-registry-db-parameters envs: - params.env secretGenerator: -- name: metadata-postgres-db-secrets +- name: metadata-registry-db-secrets envs: - secrets.env generatorOptions: @@ -39,7 +39,7 @@ vars: - name: POSTGRES_PORT objref: kind: ConfigMap - name: metadata-postgres-db-parameters + name: metadata-registry-db-parameters apiVersion: v1 fieldref: fieldpath: data.POSTGRES_PORT diff --git a/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml b/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml index ab4dbc744..5851fc6b1 100644 --- a/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml +++ b/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml @@ -31,9 +31,9 @@ spec: value: /var/lib/postgresql/data/pgdata envFrom: - configMapRef: - name: metadata-postgres-db-parameters + name: metadata-registry-db-parameters - secretRef: - name: metadata-postgres-db-secrets + name: metadata-registry-db-secrets ports: - name: postgres containerPort: 5432 diff --git a/manifests/kustomize/overlays/postgres/patches/model-registry-deployment.yaml b/manifests/kustomize/overlays/postgres/patches/model-registry-deployment.yaml index 0f8fdbd09..9844feaae 100644 --- a/manifests/kustomize/overlays/postgres/patches/model-registry-deployment.yaml +++ b/manifests/kustomize/overlays/postgres/patches/model-registry-deployment.yaml @@ -16,9 +16,9 @@ spec: - $patch: replace envFrom: - configMapRef: - name: metadata-postgres-db-parameters + name: metadata-registry-db-parameters - secretRef: - name: metadata-postgres-db-secrets + name: metadata-registry-db-secrets - configMapRef: name: model-registry-configmap args: ["--grpc_port=$(MODEL_REGISTRY_GRPC_SERVICE_PORT)",