You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@submarine.apache.org by "cdmikechen (Jira)" <ji...@apache.org> on 2022/01/10 09:56:00 UTC

[jira] [Commented] (SUBMARINE-1179) Add PodSecurityPolicies/SecurityContextConstraints for submarine

    [ https://issues.apache.org/jira/browse/SUBMARINE-1179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471817#comment-17471817 ] 

cdmikechen commented on SUBMARINE-1179:
---------------------------------------

These issue may need 3 tasks:
1. Add a cluster psp/scc in helm.
2. Submarine-Operator need to add corresponding service account, role and role bind, so that database, minio can start successfully.
3. Submarine-Server need to add corresponding service account in CRD, so that notebook-controller can create notebook statefulsets successfully.

> Add PodSecurityPolicies/SecurityContextConstraints for submarine
> ----------------------------------------------------------------
>
>                 Key: SUBMARINE-1179
>                 URL: https://issues.apache.org/jira/browse/SUBMARINE-1179
>             Project: Apache Submarine
>          Issue Type: Bug
>          Components: Cloud-native Deployment
>            Reporter: cdmikechen
>            Priority: Major
>
> Database and minio need user uid 999 / 0 to run container, notebook need group uid 100 . Sometimes, K8s's security policy prohibits too small uid values.
> We need to add PodSecurityPolicies(k8s) or SecurityContextConstraints(openshift) to let pod run as a user with specified uid. e.g.
> {code:java}
> securityContext:
>     runAsUser: 999
> {code}
> {code:java}
> securityContext:
>     fsGroup: 100
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@submarine.apache.org
For additional commands, e-mail: dev-help@submarine.apache.org