Skip to content

Commit

Permalink
feat: add securityContext to manifests
Browse files Browse the repository at this point in the history 
Apply the `securityContext` settings from upstream PR
[#768](kubeflow/model-registry#768)

Signed-off-by: Paul Boyd <pboyd@redhat.com>
  • Loading branch information
@pboyd
pboyd committed Feb 13, 2025
1 parent eb01bd1 commit 15395aa
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/build-image-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ jobs:
##debug
#kubectl describe pods
#kubectl logs -l name=model-registry-db || true
kubectl wait --for=condition=Available=true modelregistries/modelregistry-sample --timeout=5m
kubectl wait --for=condition=Available=true modelregistries/modelregistry-sample --timeout=5m || (kubectl describe mr; exit 1)
16 changes: 16 additions & 0 deletions internal/controller/config/templates/deployment.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ spec:
{{- end}}
{{- end}}
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
containers:
- args:
- --grpc_port={{.Spec.Grpc.Port}}
Expand Down Expand Up @@ -197,6 +201,13 @@ spec:
cpu: {{.Spec.Grpc.Resources.Limits.Cpu}}
memory: {{.Spec.Grpc.Resources.Limits.Memory}}
{{- end }}
securityContext:
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- args:
- --hostname=0.0.0.0
- --port={{.Spec.Rest.Port}}
Expand Down Expand Up @@ -233,6 +244,11 @@ spec:
cpu: {{.Spec.Rest.Resources.Limits.Cpu}}
memory: {{.Spec.Rest.Resources.Limits.Memory}}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
serviceAccountName: {{.Name}}
volumes:
{{- if .Spec.Postgres}}
Expand Down

0 comments on commit 15395aa

Please sign in to comment.