From 2cd631cf8455d58d63bb1c483346681c0a74e95d Mon Sep 17 00:00:00 2001 From: Marcin Date: Mon, 11 Dec 2023 14:35:52 +0100 Subject: [PATCH] [Issue #741] Add fsGroup for runtime pod (#743) --- .../deployer/k8s/apps/AppResourcesFactory.java | 18 ++++++------------ .../k8s/apps/AppResourcesFactoryTest.java | 8 ++++++++ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java index ba12db6bd..ae49260b9 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java @@ -32,18 +32,7 @@ import ai.langstream.runtime.api.application.ApplicationSetupConstants; import ai.langstream.runtime.api.deployer.RuntimeDeployerConfiguration; import ai.langstream.runtime.api.deployer.RuntimeDeployerConstants; -import io.fabric8.kubernetes.api.model.Container; -import io.fabric8.kubernetes.api.model.ContainerBuilder; -import io.fabric8.kubernetes.api.model.EmptyDirVolumeSource; -import io.fabric8.kubernetes.api.model.EnvVar; -import io.fabric8.kubernetes.api.model.EnvVarBuilder; -import io.fabric8.kubernetes.api.model.KeyToPathBuilder; -import io.fabric8.kubernetes.api.model.Pod; -import io.fabric8.kubernetes.api.model.Quantity; -import io.fabric8.kubernetes.api.model.Volume; -import io.fabric8.kubernetes.api.model.VolumeBuilder; -import io.fabric8.kubernetes.api.model.VolumeMount; -import io.fabric8.kubernetes.api.model.VolumeMountBuilder; +import io.fabric8.kubernetes.api.model.*; import io.fabric8.kubernetes.api.model.batch.v1.Job; import io.fabric8.kubernetes.api.model.batch.v1.JobBuilder; import io.fabric8.kubernetes.client.KubernetesClient; @@ -393,6 +382,7 @@ private static Job generateJob( .withLabels(labels) .endMetadata() .withNewSpec() + .withSecurityContext(getPodSecurityContext()) .withTolerations(podTemplate != null ? podTemplate.tolerations() : null) .withNodeSelector(podTemplate != null ? podTemplate.nodeSelector() : null) .withServiceAccountName(serviceAccountName) @@ -466,6 +456,10 @@ private static Map getPodAnnotations(PodTemplate podTemplate) { return annotations; } + private static PodSecurityContext getPodSecurityContext() { + return new PodSecurityContextBuilder().withFsGroup(10_000L).build(); + } + public static Map getLabelsForDeployer(boolean delete, String applicationId) { return Map.of( CRDConstants.COMMON_LABEL_APP, diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java index e04465590..9e98f1620 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java @@ -127,6 +127,8 @@ void testDeployerJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never + securityContext: + fsGroup: 10000 serviceAccountName: my-tenant volumes: - emptyDir: {} @@ -226,6 +228,8 @@ void testDeployerJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never + securityContext: + fsGroup: 10000 serviceAccountName: my-tenant volumes: - emptyDir: {} @@ -342,6 +346,8 @@ void testSetupJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never + securityContext: + fsGroup: 10000 serviceAccountName: runtime-my-tenant volumes: - emptyDir: {} @@ -438,6 +444,8 @@ void testSetupJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never + securityContext: + fsGroup: 10000 serviceAccountName: runtime-my-tenant volumes: - emptyDir: {}