This is an automated email from the ASF dual-hosted git repository.
rexxiong pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/celeborn.git
The following commit(s) were added to refs/heads/main by this push:
new eb2449ced [CELEBORN-1989][HELM] Split securityContext into
master.podSecurityContext and worker.podSecurityContext
eb2449ced is described below
commit eb2449cedecb5301994b2fc9d1a7bde7f58fbd6a
Author: Yi Chen <[email protected]>
AuthorDate: Tue May 13 16:32:54 2025 +0800
[CELEBORN-1989][HELM] Split securityContext into master.podSecurityContext
and worker.podSecurityContext
### What changes were proposed in this pull request?
- Split `securityContext` into `master.podSecurityContext` and
`worker.podSecurityContext`.
- Add `master.securityContext` and `worker.securityContext` for
container-level security configurations.
### Why are the changes needed?
Allow separate configurations for master/worker pod-level/container-level
security context.
### Does this PR introduce _any_ user-facing change?
Yes.
### How was this patch tested?
Run Helm unit tests by `helm unittest charts/celeborn --file
"tests/**/*_test.yaml" --strict --debug`.
Closes #3251 from ChenYi015/helm/security-context.
Authored-by: Yi Chen <[email protected]>
Signed-off-by: Shuang <[email protected]>
---
charts/celeborn/ci/values.yaml | 9 -----
charts/celeborn/templates/master/statefulset.yaml | 8 +++-
charts/celeborn/templates/worker/statefulset.yaml | 8 +++-
charts/celeborn/tests/master/statefulset_test.yaml | 40 +++++++++++++++++---
charts/celeborn/tests/worker/statefulset_test.yaml | 40 +++++++++++++++++---
charts/celeborn/values.yaml | 43 +++++++++++++++++-----
6 files changed, 116 insertions(+), 32 deletions(-)
diff --git a/charts/celeborn/ci/values.yaml b/charts/celeborn/ci/values.yaml
index dbe423378..4298603e1 100644
--- a/charts/celeborn/ci/values.yaml
+++ b/charts/celeborn/ci/values.yaml
@@ -139,15 +139,6 @@ worker:
# -- Whether to use the host's network namespace in Celeborn worker pods.
hostNetwork: true
-# -- Container security context
-securityContext:
- # Specifies the user ID to run the entrypoint of the container process
- runAsUser: 10006
- # Specifies the group ID to run the entrypoint of the container process
- runAsGroup: 10006
- # Specifies the group ID to use when modifying ownership and permissions of
the mounted volumes
- fsGroup: 10006
-
podMonitor:
# -- Specifies whether to enable creating pod monitors for Celeborn pods
enable: false
diff --git a/charts/celeborn/templates/master/statefulset.yaml
b/charts/celeborn/templates/master/statefulset.yaml
index d890aa2cf..e863e1276 100644
--- a/charts/celeborn/templates/master/statefulset.yaml
+++ b/charts/celeborn/templates/master/statefulset.yaml
@@ -48,7 +48,7 @@ spec:
{{- end }}
command:
- chown
- - {{ .Values.securityContext.runAsUser | default 10006 }}:{{
.Values.securityContext.runAsGroup | default 10006 }}
+ - {{ .Values.master.podSecurityContext.runAsUser | default 10006 }}:{{
.Values.master.podSecurityContext.runAsGroup | default 10006 }}
- {{ (index $dirs 0).mountPath }}
volumeMounts:
- name: {{ $.Release.Name }}-master-vol-0
@@ -105,6 +105,10 @@ spec:
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
+ {{- with .Values.master.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
@@ -147,7 +151,7 @@ spec:
{{- with .Values.master.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
- {{- with .Values.securityContext }}
+ {{- with .Values.master.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/celeborn/templates/worker/statefulset.yaml
b/charts/celeborn/templates/worker/statefulset.yaml
index 5f20eaa28..98a9d818a 100644
--- a/charts/celeborn/templates/worker/statefulset.yaml
+++ b/charts/celeborn/templates/worker/statefulset.yaml
@@ -48,7 +48,7 @@ spec:
{{- end }}
command:
- chown
- - {{ .Values.securityContext.runAsUser | default 10006 }}:{{
.Values.securityContext.runAsGroup | default 10006 }}
+ - {{ .Values.worker.podSecurityContext.runAsUser | default 10006 }}:{{
.Values.worker.podSecurityContext.runAsGroup | default 10006 }}
{{- range $dir := $dirs }}
- {{ $dir.mountPath }}
{{- end}}
@@ -108,6 +108,10 @@ spec:
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
+ {{- with .Values.worker.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
@@ -150,7 +154,7 @@ spec:
{{- with .Values.worker.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
- {{- with .Values.securityContext }}
+ {{- with .Values.worker.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
diff --git a/charts/celeborn/tests/master/statefulset_test.yaml
b/charts/celeborn/tests/master/statefulset_test.yaml
index d06b75b18..272a3219b 100644
--- a/charts/celeborn/tests/master/statefulset_test.yaml
+++ b/charts/celeborn/tests/master/statefulset_test.yaml
@@ -164,6 +164,35 @@ tests:
cpu: 100m
memory: 128Mi
+ - it: Should add container securityContext if `master.securityContext` is set
+ set:
+ master:
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ privileged: false
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ privileged: false
+
- it: Should add secrets if `imagePullSecrets` is set
set:
imagePullSecrets:
@@ -284,12 +313,13 @@ tests:
path: spec.template.spec.hostNetwork
value: true
- - it: Should use the specified security context if `podSecurityContext` is
set
+ - it: Should use the specified security context if
`master.podSecurityContext` is set
set:
- securityContext:
- runAsUser: 1000
- runAsGroup: 2000
- fsGroup: 3000
+ master:
+ podSecurityContext:
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
asserts:
- equal:
path: spec.template.spec.securityContext.runAsUser
diff --git a/charts/celeborn/tests/worker/statefulset_test.yaml
b/charts/celeborn/tests/worker/statefulset_test.yaml
index 37c212709..fd3a4c8d8 100644
--- a/charts/celeborn/tests/worker/statefulset_test.yaml
+++ b/charts/celeborn/tests/worker/statefulset_test.yaml
@@ -163,6 +163,35 @@ tests:
cpu: 100m
memory: 128Mi
+ - it: Should add container securityContext if `worker.securityContext` is set
+ set:
+ worker:
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ privileged: false
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ privileged: false
+
- it: Should add secrets if `imagePullSecrets` is set
set:
imagePullSecrets:
@@ -283,12 +312,13 @@ tests:
path: spec.template.spec.hostNetwork
value: true
- - it: Should use the specified security context if `podSecurityContext` is
set
+ - it: Should use the specified security context if
`worker.podSecurityContext` is set
set:
- securityContext:
- runAsUser: 1000
- runAsGroup: 2000
- fsGroup: 3000
+ worker:
+ podSecurityContext:
+ runAsUser: 1000
+ runAsGroup: 2000
+ fsGroup: 3000
asserts:
- equal:
path: spec.template.spec.securityContext.runAsUser
diff --git a/charts/celeborn/values.yaml b/charts/celeborn/values.yaml
index 7aa9beaa3..2cdae5049 100644
--- a/charts/celeborn/values.yaml
+++ b/charts/celeborn/values.yaml
@@ -118,15 +118,6 @@ celeborn:
celeborn.application.heartbeat.timeout: 120s
celeborn.worker.heartbeat.timeout: 120s
-# -- Container security context
-securityContext:
- # Specifies the user ID to run the entrypoint of the container process
- runAsUser: 10006
- # Specifies the group ID to run the entrypoint of the container process
- runAsGroup: 10006
- # Specifies the group ID to use when modifying ownership and permissions of
the mounted volumes
- fsGroup: 10006
-
master:
# -- Number of Celeborn master replicas to deploy, should not less than 3.
replicas: 3
@@ -165,6 +156,14 @@ master:
# cpu: 100m
# memory: 128Mi
+ # -- Security configurations for Celeborn master containers.
+ securityContext:
+ # privileged: false
+ # allowPrivilegeEscalation: false
+ # runAsUser: 10006
+ # runAsGroup: 10006
+ # fsGroup: 10006
+
# -- Node selector for Celeborn master pods.
nodeSelector:
# key1: value1
@@ -211,6 +210,15 @@ master:
# -- Whether to use the host's network namespace in Celeborn master pods.
hostNetwork: false
+ # -- Pod-level security configurations for Celeborn master pods.
+ podSecurityContext:
+ # The user ID to use when running the entrypoint of the container process.
+ runAsUser: 10006
+ # The group ID to use when running the entrypoint of the container process.
+ runAsGroup: 10006
+ # The group ID to use when modifying the ownership and permissions of the
mounted volumes.
+ fsGroup: 10006
+
worker:
# -- Number of Celeborn worker replicas to deploy, should less than node
number.
replicas: 5
@@ -251,6 +259,14 @@ worker:
# cpu: 100m
# memory: 128Mi
+ # -- Security configurations for Celeborn worker containers.
+ securityContext:
+ # privileged: false
+ # allowPrivilegeEscalation: false
+ # runAsUser: 10006
+ # runAsGroup: 10006
+ # fsGroup: 10006
+
# -- Node selector for Celeborn worker pods.
nodeSelector:
# key1: value1
@@ -297,6 +313,15 @@ worker:
# -- Whether to use the host's network namespace in Celeborn worker pods.
hostNetwork: false
+ # -- Pod-level security configurations for Celeborn worker pods.
+ podSecurityContext:
+ # The user ID to use when running the entrypoint of the container process.
+ runAsUser: 10006
+ # The group ID to use when running the entrypoint of the container process.
+ runAsGroup: 10006
+ # The group ID to use when modifying the ownership and permissions of the
mounted volumes.
+ fsGroup: 10006
+
podMonitor:
# -- Specifies whether to enable creating pod monitors for Celeborn pods
enable: true
