fix: set restricted PSS sample context#1229
Conversation
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
thesuperzapper
left a comment
There was a problem hiding this comment.
As long as we resolve the comments, I am ok with this change.
But we should also make the change to the other WorkspaceKind samples.
| drop: | ||
| - ALL | ||
| runAsNonRoot: true | ||
| runAsUser: 1000 |
There was a problem hiding this comment.
We have no such requirement to run as 1000, and this has no relation to PSS.
Please remove.
| seccompProfile: | ||
| type: RuntimeDefault |
There was a problem hiding this comment.
We should sanity check that this does not break accelerator intergration for NVIDIA or AMD GPUs.
Summary
This PR updates the JupyterLab
WorkspaceKindsample so generated workspace pods are compatible with Kubernetes restricted Pod Security Standards.The change is limited to
workspaces/controller/manifests/kustomize/samples/jupyterlab_v1beta1_workspacekind.yamland adds:seccompProfile.type: RuntimeDefaultrunAsUser: 1000seccompProfile.type: RuntimeDefaultExisting
fsGroup: 100,allowPrivilegeEscalation: false,capabilities.drop: [ALL], andrunAsNonRoot: trueare preserved.No CRD defaults, controller reconciliation logic, codeserver, or rstudio samples are changed.
Validation
kubeflow/notebooks:notebooks-v2kustomize build workspaces/controller/manifests/kustomize/samplesWorkspaceKindgit diff --checkRelated
Related to kubeflow/community-distribution#3487.