Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Helm] Expose security context in helm chart. #773

Merged
merged 2 commits into from
Dec 2, 2022
Merged

[Helm] Expose security context in helm chart. #773

merged 2 commits into from
Dec 2, 2022

Conversation

DmitriGekhtman
Copy link
Collaborator

Signed-off-by: Dmitri Gekhtman [email protected]

Why are these changes needed?

Exposes securityContext in Helm charts.
See #750.

TODO: Test with the workflows in #750

Related issue number

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

@DmitriGekhtman
Copy link
Collaborator Author

cc @juliusvonkohout

@juliusvonkohout
Copy link

I only took a glimpse, but is the naming really consistent?

@DmitriGekhtman
Copy link
Collaborator Author

I only took a glimpse, but is the naming really consistent?

I'm open to suggestions!

My main consideration when making changes to these charts is backwards compatibility.
I'm not 100% pleased with the previous decisions that were made, but for now I'm just trying to expose the necessary configuration while keeping things consistent with what's already there.

@DmitriGekhtman
Copy link
Collaborator Author

I only took a glimpse, but is the naming really consistent?

Basically, I'm saying
"No, the naming is not completely consistent. But it's the best I can do at the moment."

@juliusvonkohout
Copy link

juliusvonkohout commented Dec 1, 2022
edited
Loading

Alright, then why do we not take the values from the other PR instead of SecurityContext: {}?

@DmitriGekhtman
Copy link
Collaborator Author

Alright, then why do we not take the values from the other PR instead of SecurityContext: {}?

I'd prefer to simply expose the configuration rather than copying it everywhere.

@DmitriGekhtman
Copy link
Collaborator Author

Alright, then why do we not take the values from the other PR instead of SecurityContext: {}?

I'd prefer to simply expose the configuration rather than copying it everywhere.

Actually, sure -- I'll set the defaults to the recommended securityContext and then let users override as needed.

@DmitriGekhtman
Copy link
Collaborator Author

Alright, then why do we not take the values from the other PR instead of SecurityContext: {}?

I'd prefer to simply expose the configuration rather than copying it everywhere.

Actually, sure -- I'll set the defaults to the recommended securityContext and then let users override as needed.

Will repeat the same treatment for the auto-configured autoscaler container.

@DmitriGekhtman
Copy link
Collaborator Author

Alright, then why do we not take the values from the other PR instead of SecurityContext: {}?

Actually, never mind.

The reason for not doing this by default is

  1. It makes debugging more difficult for infra developers.
  2. It appears at the moment to interact poorly with OpenShift.

Thus, it's better to clearly document the security context recommendation, but not to copy the more restrictive configuration everywhere.

@DmitriGekhtman
Copy link
Collaborator Author

Thanks, @juliusvonkohout for prodding us to ensure that Ray can run on Kubernetes with proper security configuration!

@DmitriGekhtman
Copy link
Collaborator Author

@kevin85421 this works exactly as expected when the relevant securityContext configuration is added.
It fails exactly as expected when the relevant securityContext configuration is removed.

kevin85421
kevin85421 approved these changes Dec 2, 2022
View reviewed changes
Copy link
Member

@kevin85421 kevin85421 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DmitriGekhtman DmitriGekhtman merged commit c610f70 into ray-project:master Dec 2, 2022
lowang-bh pushed a commit to lowang-bh/kuberay that referenced this pull request Sep 24, 2023
@DmitriGekhtman
Expose security context in helm chart. (ray-project#773)
ece084f 
Expose securityContext for Ray container and initContainer in ray-cluster helm chart.

Signed-off-by: Dmitri Gekhtman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevin85421 kevin85421 kevin85421 approved these changes

Assignees
No one assigned
Labels
kubeflow-integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DmitriGekhtman @juliusvonkohout @kevin85421