Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make pod security context fully configurable #186

Merged
merged 1 commit into from
Aug 28, 2024

Conversation

CatherineThompson
Copy link
Member

No description provided.

Copy link

cla-bot bot commented Jun 21, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch from bbe335f to ede48f2 Compare June 21, 2024 01:10
Copy link

cla-bot bot commented Jun 21, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch from ede48f2 to fa91d19 Compare June 21, 2024 14:36
Copy link

cla-bot bot commented Jun 21, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch from fa91d19 to 5fa770f Compare June 21, 2024 23:30
Copy link

cla-bot bot commented Jun 21, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch from 5fa770f to cfc9018 Compare June 21, 2024 23:35
Copy link

cla-bot bot commented Jun 21, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

runAsUser: {{ .runAsUser }}
runAsGroup: {{ .runAsGroup }}
{{- end }}
{{- toYaml .Values.securityContext | nindent 8 }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to #181, it might be a good idea to put the whole securityContext in a condition block, in case it's empty.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I add securityContext: ~ to a values file, the template renders as securityContext: null which then gets applied as securityContext: {}. It seems to handle that situation. If you think a condition block reads better, I'll add it in.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we don't need a condition block, thanks! Can you document that in the comment for this section?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this and it doesn't work with either ~, empty string or an empty object. Please put this in a conditional block.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I wonder why I wasn't able to reproduce the the issue. Yeah, I'll put in the conditional sometime today.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nineinchnick I've put the with condition back in and also added the ability to configure the security context for the jmx exporter container.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, it's now possible to clear the securityContext with ~, but not with {}. Can you either document it, or change the with block into an if?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, I've updated the documentation.

@CatherineThompson CatherineThompson marked this pull request as ready for review June 27, 2024 02:08
@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch from cfc9018 to ee0ef51 Compare June 27, 2024 02:10
@cla-bot cla-bot bot added the cla-signed label Jun 27, 2024
@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch 3 times, most recently from 336535e to e6f04ea Compare June 28, 2024 23:19
@CatherineThompson CatherineThompson force-pushed the ct-pod-security-context branch 5 times, most recently from ff036b3 to 7ed479a Compare August 26, 2024 16:46
@nineinchnick nineinchnick merged commit f71d9f7 into trinodb:main Aug 28, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

2 participants