Skip to content

Commit

Permalink
[autoscaler] Expose autoscaler container security context. (#752)
Browse files Browse the repository at this point in the history 
Expose configuration for the autoscaler container's security context.

Signed-off-by: Dmitri Gekhtman <dmitri.m.gekhtman@gmail.com>
  • Loading branch information
@DmitriGekhtman
DmitriGekhtman authored Dec 2, 2022
1 parent c610f70 commit 87ca10a
Show file tree
Hide file tree
Showing 13 changed files with 691 additions and 0 deletions.
107 changes: 107 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayclusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,113 @@ spec:
resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options the
container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether a process
can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount to use
for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem.
Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp profile
will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to all
containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or "Aggressive.
enum:
Expand Down
109 changes: 109 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayjobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,115 @@ spec:
compute resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options
the container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether
a process can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running
containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount
to use for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root
filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as
a non-root user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the
container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile
defined in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp
profile will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to
all containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA
admission webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of
the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or
"Aggressive.
Expand Down
109 changes: 109 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayservices.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,115 @@ spec:
compute resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options
the container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether
a process can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running
containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount
to use for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root
filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as
a non-root user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the
container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile
defined in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp
profile will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to
all containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA
admission webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of
the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or
"Aggressive.
Expand Down
3 changes: 3 additions & 0 deletions helm-chart/ray-cluster/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ head:
# autoscalerOptions:
# upscalingMode: Default
# idleTimeoutSeconds: 60
# securityContext: {}
# env: []
# envFrom: []
# resources specifies optional resource request and limit overrides for the autoscaler container.
# For large Ray clusters, we recommend monitoring container resource usage to determine if overriding the defaults is required.
# resources:
Expand Down
4 changes: 4 additions & 0 deletions ray-operator/apis/ray/v1alpha1/raycluster_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ type AutoscalerOptions struct {
Env []v1.EnvVar `json:"env,omitempty"`
// Optional list of sources to populate environment variables in the autoscaler container.
EnvFrom []v1.EnvFromSource `json:"envFrom,omitempty"`
// SecurityContext defines the security options the container should be run with.
// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`
// IdleTimeoutSeconds is the number of seconds to wait before scaling down a worker pod which is not using Ray resources.
// Defaults to 60 (one minute).
IdleTimeoutSeconds *int32 `json:"idleTimeoutSeconds,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions ray-operator/apis/ray/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 87ca10a

Please sign in to comment.