You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@submarine.apache.org by "cdmikechen (Jira)" <ji...@apache.org> on 2022/01/10 09:56:00 UTC
[jira] [Commented] (SUBMARINE-1179) Add PodSecurityPolicies/SecurityContextConstraints for submarine
[ https://issues.apache.org/jira/browse/SUBMARINE-1179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471817#comment-17471817 ]
cdmikechen commented on SUBMARINE-1179:
---------------------------------------
These issue may need 3 tasks:
1. Add a cluster psp/scc in helm.
2. Submarine-Operator need to add corresponding service account, role and role bind, so that database, minio can start successfully.
3. Submarine-Server need to add corresponding service account in CRD, so that notebook-controller can create notebook statefulsets successfully.
> Add PodSecurityPolicies/SecurityContextConstraints for submarine
> ----------------------------------------------------------------
>
> Key: SUBMARINE-1179
> URL: https://issues.apache.org/jira/browse/SUBMARINE-1179
> Project: Apache Submarine
> Issue Type: Bug
> Components: Cloud-native Deployment
> Reporter: cdmikechen
> Priority: Major
>
> Database and minio need user uid 999 / 0 to run container, notebook need group uid 100 . Sometimes, K8s's security policy prohibits too small uid values.
> We need to add PodSecurityPolicies(k8s) or SecurityContextConstraints(openshift) to let pod run as a user with specified uid. e.g.
> {code:java}
> securityContext:
> runAsUser: 999
> {code}
> {code:java}
> securityContext:
> fsGroup: 100
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@submarine.apache.org
For additional commands, e-mail: dev-help@submarine.apache.org