-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow all containers in the kubeflow namespace to run as non root #1756
Conversation
Hi @juliusvonkohout. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @juliusvonkohout , I think that sounds great, but we are in the process of moving development to upstream repos. Would you mind submitting these changes in those upstreams after the transition |
@juliusvonkohout I think this is a great effort. Regarding the cache deployer, it might also be interesting to look at kubeflow/pipelines#4695 as well. |
@Bobgy By the way what is your time estimation for Kubeflow 1.3? @davidspek Yes i will look into the cache deployer with low priority as soon as the main parts are running rootless. In the mean time i will work on getting a rootless istio-init with minikube and cilium CNI. |
@juliusvonkohout for KFP, you can contribute to github.com/kubeflow/pipelines/manifests/kustomize. @yanniszark do we have a map of where each application manifest is moved to |
Should everything regarding apps/pipeline/upstream/installs/multi-user/pipelines-profile-controller/ not be merged in this repository? I could not find another corresponding repository. |
Most of the fixes are upstream, but in 1.3.0 rc the newly developed Jupyterlab vscode and rstudio images are broken kubeflow/kubeflow#5808 |
except for the cache deployment and the notebooks everything is working with istio-cni. The only root container is the istio cni installer in kube-system. But that is not n security issue. |
For the record, the fix for notebook server images is to extend the notebook controller to set the SecurityContext in the StatefulSet. Nothing in the containers actually runs as root, and the S6 overlay can be used once the notebook controller is updated to accommodate this. |
@juliusvonkohout changes to manifests under |
Most of them have already been merged in 5-10 other pull requests. I am primarily waiting for Argo and the emissary executer on which @NikeNano and @Bobgy are working on. I will just close this PR at some point. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions. |
This is the most important next step #2014 |
My goal is to run kubeflow completly rootless except for istio-system.
I will use the istio CNI plugin to use rootless init containers.
The following changes are necessary:
I really hope that this makes it into kubeflow 1.3, because rootless containers are forbidden in many enterprise environments
Checklist:
Make sure you have installed kustomize == 3.2.1
make generate-changed-only
make test