diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java index 2aefaa906..33487489e 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java @@ -41,6 +41,8 @@ import io.fabric8.kubernetes.api.model.PersistentVolumeClaim; import io.fabric8.kubernetes.api.model.PersistentVolumeClaimBuilder; import io.fabric8.kubernetes.api.model.Pod; +import io.fabric8.kubernetes.api.model.PodSecurityContext; +import io.fabric8.kubernetes.api.model.PodSecurityContextBuilder; import io.fabric8.kubernetes.api.model.Probe; import io.fabric8.kubernetes.api.model.ProbeBuilder; import io.fabric8.kubernetes.api.model.Quantity; @@ -304,6 +306,7 @@ public static StatefulSet generateStatefulSet(GenerateStatefulsetParams params) .withTolerations(podTemplate != null ? podTemplate.tolerations() : null) .withNodeSelector(podTemplate != null ? podTemplate.nodeSelector() : null) .withTerminationGracePeriodSeconds(60L) + .withSecurityContext(getPodSecurityContext()) .withInitContainers( List.of( injectConfigForDownloadCodeInitContainer, @@ -464,6 +467,10 @@ private static Map getPodAnnotations(AgentSpec spec, PodTemplate return annotations; } + private static PodSecurityContext getPodSecurityContext() { + return new PodSecurityContextBuilder().withFsGroup(10_000L).build(); + } + private static String getStsImagePullPolicy(GenerateStatefulsetParams params) { final String imagePullPolicy = params.getImagePullPolicy(); final String containerImagePullPolicy = diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java index ae49260b9..ba12db6bd 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/apps/AppResourcesFactory.java @@ -32,7 +32,18 @@ import ai.langstream.runtime.api.application.ApplicationSetupConstants; import ai.langstream.runtime.api.deployer.RuntimeDeployerConfiguration; import ai.langstream.runtime.api.deployer.RuntimeDeployerConstants; -import io.fabric8.kubernetes.api.model.*; +import io.fabric8.kubernetes.api.model.Container; +import io.fabric8.kubernetes.api.model.ContainerBuilder; +import io.fabric8.kubernetes.api.model.EmptyDirVolumeSource; +import io.fabric8.kubernetes.api.model.EnvVar; +import io.fabric8.kubernetes.api.model.EnvVarBuilder; +import io.fabric8.kubernetes.api.model.KeyToPathBuilder; +import io.fabric8.kubernetes.api.model.Pod; +import io.fabric8.kubernetes.api.model.Quantity; +import io.fabric8.kubernetes.api.model.Volume; +import io.fabric8.kubernetes.api.model.VolumeBuilder; +import io.fabric8.kubernetes.api.model.VolumeMount; +import io.fabric8.kubernetes.api.model.VolumeMountBuilder; import io.fabric8.kubernetes.api.model.batch.v1.Job; import io.fabric8.kubernetes.api.model.batch.v1.JobBuilder; import io.fabric8.kubernetes.client.KubernetesClient; @@ -382,7 +393,6 @@ private static Job generateJob( .withLabels(labels) .endMetadata() .withNewSpec() - .withSecurityContext(getPodSecurityContext()) .withTolerations(podTemplate != null ? podTemplate.tolerations() : null) .withNodeSelector(podTemplate != null ? podTemplate.nodeSelector() : null) .withServiceAccountName(serviceAccountName) @@ -456,10 +466,6 @@ private static Map getPodAnnotations(PodTemplate podTemplate) { return annotations; } - private static PodSecurityContext getPodSecurityContext() { - return new PodSecurityContextBuilder().withFsGroup(10_000L).build(); - } - public static Map getLabelsForDeployer(boolean delete, String applicationId) { return Map.of( CRDConstants.COMMON_LABEL_APP, diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java index 927b65605..9c4d24775 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java @@ -179,6 +179,8 @@ void testStatefulsetAndService() { name: download-config - mountPath: /app-code-download name: code-download + securityContext: + fsGroup: 10000 serviceAccountName: runtime-my-tenant terminationGracePeriodSeconds: 60 volumes: diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java index 9e98f1620..e04465590 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/apps/AppResourcesFactoryTest.java @@ -127,8 +127,6 @@ void testDeployerJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never - securityContext: - fsGroup: 10000 serviceAccountName: my-tenant volumes: - emptyDir: {} @@ -228,8 +226,6 @@ void testDeployerJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never - securityContext: - fsGroup: 10000 serviceAccountName: my-tenant volumes: - emptyDir: {} @@ -346,8 +342,6 @@ void testSetupJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never - securityContext: - fsGroup: 10000 serviceAccountName: runtime-my-tenant volumes: - emptyDir: {} @@ -444,8 +438,6 @@ void testSetupJob() { - mountPath: /cluster-runtime-config name: cluster-runtime-config restartPolicy: Never - securityContext: - fsGroup: 10000 serviceAccountName: runtime-my-tenant volumes: - emptyDir: {}