-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add config for hub/proxy/autohttps container's securityContext #1708
Add config for hub/proxy/autohttps container's securityContext #1708
Conversation
This makes it possible to override the `securityContext` for the hub container spec, similar to how the hub container `resources` are overridable via `values.yaml`. By defualt the `securityContext` is the same as before. One use case for this is to be able to specify `capabilities` in order to run py-spy [1] on the hub container. One downside to this approach is that for anyone overriding the hub container `securityContext` may need to duplicate the `runAsUser` and `allowPrivilegeEscalation` entries which means they could fall out of alignment with the upstream chart. So an alternative to this full replacement approach is to add an optional `extraContainerSecurityContext` entry similar to how `extraVolumeMounts` works. The downside to that is it could eventually conflict with what is not extra in the parent chart. Another alternative is just adding a very specific and optional `containerCapabilities` value which if set *only* sets the `securityContext.capabilities` value in the container spec. For simplicity and flexibility this opts for the full replacement approach assuming the hub container `securityContext` will not change frequently. [1] https://github.com/benfred/py-spy#how-do-i-run-py-spy-in-kubernetes Closes jupyterhub#1677
Thanks for submitting your first pull request! You are awesome! 🤗 |
So with this update to the containerSecurityContext:
runAsUser: *hubUid
# Don't allow any process to execute as root inside the container
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_PTRACE I get this template output:
|
Thanks for your work, I think this PR makes sense and is sustainable enough long term to maintain. Note that for the end user of the chart to change this, it would be something like: # my-values.yaml
hub:
containerSecurityContext:
capabilities:
add:
- SYS_PTRACE The YAML anchor in the Helm charts Would you like to try that? One could either directly edit .Values.hub.containerSecurityContext by assigning it .Values.hub.uid or one could make a copy of it first, and modify the copy. If you search for |
Do you want the same thing to happen with
Yeah I can try that. I figured if someone overrode Also, if we take this approach of setting values in |
Should there be an entry in the CHANGELOG.md for this? Or are those rolled up at release time based on the commit history? |
This removes hub.uid from values.yaml and hard-codes the one place it was used (hub.containerSecurityContext.runAsUser). A deprecation note is added which can later be changed to a hard fail if desired.
If we deprecate and remove
Thoughts? |
If `hub.uid` is set to 0 then the deprecation note won't appear because the condition evaluates to false so use `hasKey` to see if the `hub.uid` entry exists regardless of value.
Test failures in Travis look unrelated but I can't restart the builds. |
543515a
to
d1daf01
Compare
I added a commit:
Ready for merge in my mind, what do you think @mriedem ? |
containerSecurityContext: | ||
allowPrivilegeEscalation: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is technically new since it wasn't defined before for traefik
correct? Maybe that's fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, since it passes the tests it should be fine though. It depends on whats going on inside the traefik container though I think. Hmmm, not too confident about this actually but this is the common good practice and the traefik docker image is a well used and docker-hub official image.
Thank you for your work on this @mriedem and congratulations on your first PR to the repo!!! ❤️ 🎉 |
Thanks for helping this along and yeah your changes look good to me, thanks for adding those. I wanted to see if I could fetch this change and do a local template build to see what the security context would look like with the capabilities changes we want to make but it sounds like this should work. Only remaining question I have is if there is an upcoming release of the chart planned or does that happen automatically? |
Oh I see, there are dev builds available: https://jupyterhub.github.io/helm-chart/#development-releases-jupyterhub so I guess I'm asking if there are plans on doing a stable release anytime soon? |
Can't say =/
You can always do |
That would indeed be a lot simpler than what I was thinking, I keep forgetting how you can just use That does make me think, we're unconditionally installing [1]
|
It may be valuable for the end user to have such configuration option, but its a pure convinience config that adds complexity (like the complexity for hub.uid) to the helm chart, so i wouldn't want us to add it. Documentation is of relevance though! |
This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there: https://discourse.jupyter.org/t/scheduler-insufficient-memory-waiting-errors-any-suggestions/5314/4 |
This makes it possible to override the
securityContext
for the hub container spec, similar to how the hub container
resources
are overridable viavalues.yaml
. By default thesecurityContext
is the same as before.One use case for this is to be able to specify
capabilities
in order to run py-spy [1] on the hub container.
One downside to this approach is that for anyone overriding the
hub container
securityContext
may need to duplicate therunAsUser
andallowPrivilegeEscalation
entries which meansthey could fall out of alignment with the upstream chart. So an
alternative to this full replacement approach is to add an
optional
extraContainerSecurityContext
entry similar to howextraVolumeMounts
works. The downside to that is it couldeventually conflict with what is not extra in the parent chart.
Another alternative is just adding a very specific and optional
containerCapabilities
value which if set only sets thesecurityContext.capabilities
value in the container spec.For simplicity and flexibility this opts for the full replacement
approach assuming the hub container
securityContext
will not changefrequently.
[1] https://github.com/benfred/py-spy#how-do-i-run-py-spy-in-kubernetes
Closes #1677