Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[autoscaler] Expose autoscaler container security context. #752

Merged
merged 8 commits into from
Dec 2, 2022
Merged

[autoscaler] Expose autoscaler container security context. #752

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1eefa87
Expose autoscaler container security context.
DmitriGekhtman Nov 22, 2022
2f2e69f
Helm comment
DmitriGekhtman Nov 22, 2022
fddeb98
shift
DmitriGekhtman Nov 22, 2022
95e9017
fix
DmitriGekhtman Nov 22, 2022
af65685
Fix test value
DmitriGekhtman Nov 22, 2022
d49a628
Merge branch 'master' into dmitri/expose-security-context-in-autoscaler
DmitriGekhtman Dec 1, 2022
3d8175b
Make sync for helm charts.
DmitriGekhtman Dec 1, 2022
af0e53e
DeepCopy
DmitriGekhtman Dec 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,113 @@ spec:
resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options the
container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether a process
can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount to use
for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root filesystem.
Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp profile
will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to all
containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or "Aggressive.
enum:
Expand Down
109 changes: 109 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayjobs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,115 @@ spec:
compute resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options
the container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether
a process can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running
containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount
to use for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root
filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as
a non-root user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the
container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile
defined in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp
profile will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to
all containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA
admission webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of
the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or
"Aggressive.
Expand Down
109 changes: 109 additions & 0 deletions helm-chart/kuberay-operator/crds/ray.io_rayservices.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,115 @@ spec:
compute resources required.
type: object
type: object
securityContext:
description: SecurityContext defines the security options
the container should be run with.
properties:
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation controls whether
a process can gain more privileges than its parent process
type: boolean
capabilities:
description: The capabilities to add/drop when running
containers.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: Run container in privileged mode.
type: boolean
procMount:
description: procMount denotes the type of proc mount
to use for the containers.
type: string
readOnlyRootFilesystem:
description: Whether this container has a read-only root
filesystem. Default is false.
type: boolean
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as
a non-root user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to the
container.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by this container.
properties:
localhostProfile:
description: localhostProfile indicates a profile
defined in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp
profile will be applied.
type: string
required:
- type
type: object
windowsOptions:
description: The Windows specific settings applied to
all containers.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA
admission webhook (https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of
the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
upscalingMode:
description: UpscalingMode is "Conservative", "Default", or
"Aggressive.
Expand Down
3 changes: 3 additions & 0 deletions helm-chart/ray-cluster/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ head:
# autoscalerOptions:
# upscalingMode: Default
# idleTimeoutSeconds: 60
# securityContext: {}
# env: []
# envFrom: []
# resources specifies optional resource request and limit overrides for the autoscaler container.
# For large Ray clusters, we recommend monitoring container resource usage to determine if overriding the defaults is required.
# resources:
Expand Down
4 changes: 4 additions & 0 deletions ray-operator/apis/ray/v1alpha1/raycluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ type AutoscalerOptions struct {
Env []v1.EnvVar `json:"env,omitempty"`
// Optional list of sources to populate environment variables in the autoscaler container.
EnvFrom []v1.EnvFromSource `json:"envFrom,omitempty"`
// SecurityContext defines the security options the container should be run with.
// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`
// IdleTimeoutSeconds is the number of seconds to wait before scaling down a worker pod which is not using Ray resources.
// Defaults to 60 (one minute).
IdleTimeoutSeconds *int32 `json:"idleTimeoutSeconds,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions ray-operator/apis/ray/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading