chore: Add securitycontext for PSS PoC (rootless Kubeflow) (#11462)

* Update securitycontext

Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>

Update ml-pipeline-scheduledworkflow-deployment.yaml

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

Update ml-pipeline-persistenceagent-deployment.yaml

Upstreaming off pss patches

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

Updating server,ui,visualization,veiwercrd deployment yaml

Signed-off-by: biswassri <58236793+biswassri@users.noreply.github.com>
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

Updating remaining PSS patches

Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>

* add cache-server

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

---------

Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

manifests/kustomize/base/cache/cache-deployment.yaml

@@ -16,6 +16,16 @@ spec:
     spec:
       containers:
       - name: server
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         image: gcr.io/ml-pipeline/cache-server:dummy
         env:
           - name: DEFAULT_CACHE_STALENESS

manifests/kustomize/base/metadata/base/metadata-envoy-deployment.yaml

@@ -24,3 +24,13 @@ spec:
           containerPort: 9090
         - name: envoy-admin
           containerPort: 9901
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL

manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml

@@ -23,6 +23,16 @@ spec:
         # * manifests/kustomize/base/metadata/base/metadata-grpc-deployment.yaml
         # * test/tag_for_hosted.sh
         image: gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         env:
         - name: DBCONFIG_USER
           valueFrom:

manifests/kustomize/base/pipeline/metadata-writer/metadata-writer-deployment.yaml

@@ -22,4 +22,14 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
       serviceAccountName: kubeflow-pipelines-metadata-writer

manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml

@@ -156,6 +156,16 @@ spec:
           failureThreshold: 12
           periodSeconds: 5
           timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         resources:
           requests:
             cpu: 250m

manifests/kustomize/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml

@@ -37,6 +37,16 @@ spec:
         volumeMounts:
           - mountPath: /var/run/secrets/kubeflow/tokens
             name: persistenceagent-sa-token
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
       serviceAccountName: ml-pipeline-persistenceagent
       volumes:
         - name: persistenceagent-sa-token

manifests/kustomize/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml

@@ -31,4 +31,14 @@ spec:
               configMapKeyRef:
                 name: pipeline-install-config
                 key: cronScheduleTimezone
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
       serviceAccountName: ml-pipeline-scheduledworkflow

manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml

@@ -29,6 +29,16 @@ spec:
         - name: config-volume
           mountPath: /etc/config
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         env:
           - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
             value: /etc/config/viewer-pod-template.json

manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml

@@ -26,4 +26,14 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL    
       serviceAccountName: ml-pipeline-viewer-crd-service-account

manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml

@@ -46,6 +46,16 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 5
           timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         resources:
             requests:
               cpu: 30m

manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml

@@ -13,6 +13,10 @@ spec:
             - workflow-controller-configmap
             - --executor-image
             - gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
           resources:
             requests:
               cpu: 100m

manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml

@@ -30,6 +30,8 @@ spec:
             - --zap-log-level=4
             - '--discovery-interval=3600s' # less insane than 10 seconds
           securityContext:
+            seccompProfile: 
+              type: RuntimeDefault
             capabilities:
               drop:
               - ALL

manifests/kustomize/third-party/minio/base/minio-deployment.yaml

@@ -34,6 +34,16 @@ spec:
         name: minio
         ports:
         - containerPort: 9000
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - mountPath: /data
           name: data

manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml

@@ -53,6 +53,16 @@ spec:
         ports:
         - containerPort: 3306
           name: mysql
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - mountPath: /var/lib/mysql
           name: mysql-persistent-storage