This is an automated email from the ASF dual-hosted git repository.
craigrueda pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 1d8d067 fix: do not run containers as root by default in Helm chart
(#13917)
1d8d067 is described below
commit 1d8d0675e63db5ebc2ba49ab58ca8b4bd785491c
Author: Stanislav Simovski <[email protected]>
AuthorDate: Fri Apr 2 17:29:16 2021 +0300
fix: do not run containers as root by default in Helm chart (#13917)
* Helm: no running as root by default
* Maintain for backwards compatibility
Reverted uid and script to work same way as they previously did to maintain
backwards compatibility.
Added clarification in comments that this is not a recommended production
configuration.
Co-authored-by: Stanislav Simovski <[email protected]>
---
helm/superset/templates/_helpers.tpl | 13 ---------
helm/superset/templates/deployment-beat.yaml | 2 +-
helm/superset/templates/deployment-worker.yaml | 2 +-
helm/superset/templates/deployment.yaml | 4 +--
helm/superset/templates/init-job.yaml | 4 ++-
.../superset/templates/secret-superset-config.yaml | 2 +-
helm/superset/values.yaml | 32 ++++++++++++++++------
7 files changed, 31 insertions(+), 28 deletions(-)
diff --git a/helm/superset/templates/_helpers.tpl
b/helm/superset/templates/_helpers.tpl
index 67496aa..cb97357 100644
--- a/helm/superset/templates/_helpers.tpl
+++ b/helm/superset/templates/_helpers.tpl
@@ -49,19 +49,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 |
trimSuffix "-" -}}
{{- end -}}
-{{- define "superset-bootstrap" -}}
-#!/bin/sh
-{{ if .Values.additionalAptPackages }}
-apt-get update -y \
- && apt-get install -y --no-install-recommends \
- {{ range .Values.additionalAptPackages }}{{ . }} {{ end }}\
- && rm -rf /var/lib/apt/lists/*
-{{ end -}}
-{{ if .Values.additionalRequirements }}
-pip install {{ range .Values.additionalRequirements }}{{ . }} {{ end }}
-{{ end -}}
-{{ end -}}
-
{{- define "superset-config" }}
import os
from cachelib.redis import RedisCache
diff --git a/helm/superset/templates/deployment-beat.yaml
b/helm/superset/templates/deployment-beat.yaml
index e926b0a..714d5f4 100644
--- a/helm/superset/templates/deployment-beat.yaml
+++ b/helm/superset/templates/deployment-beat.yaml
@@ -49,7 +49,7 @@ spec:
release: {{ .Release.Name }}
spec:
securityContext:
- runAsUser: 0 # Needed in order to allow pip install to work in
bootstrap
+ runAsUser: {{ .Values.runAsUser }}
{{- if .Values.supersetCeleryBeat.initContainers }}
initContainers:
{{- tpl (toYaml .Values.supersetCeleryBeat.initContainers) . | nindent
6 }}
diff --git a/helm/superset/templates/deployment-worker.yaml
b/helm/superset/templates/deployment-worker.yaml
index f89c98c..4cf5034 100644
--- a/helm/superset/templates/deployment-worker.yaml
+++ b/helm/superset/templates/deployment-worker.yaml
@@ -47,7 +47,7 @@ spec:
release: {{ .Release.Name }}
spec:
securityContext:
- runAsUser: 0 # Needed in order to allow pip install to work in
bootstrap
+ runAsUser: {{ .Values.runAsUser }}
{{- if .Values.supersetWorker.initContainers }}
initContainers:
{{- tpl (toYaml .Values.supersetWorker.initContainers) . | nindent 6 }}
diff --git a/helm/superset/templates/deployment.yaml
b/helm/superset/templates/deployment.yaml
index efeea09..456d330 100644
--- a/helm/superset/templates/deployment.yaml
+++ b/helm/superset/templates/deployment.yaml
@@ -35,7 +35,7 @@ spec:
# Force reload on config changes
checksum/superset_config.py: {{ include "superset-config" . |
sha256sum }}
checksum/superset_init.sh: {{ tpl .Values.init.initscript . |
sha256sum }}
- checksum/superset_bootstrap.sh: {{ include "superset-bootstrap" . |
sha256sum }}
+ checksum/superset_bootstrap.sh: {{ tpl .Values.bootstrapScript . |
sha256sum }}
checksum/connections: {{ .Values.supersetNode.connections | toYaml |
sha256sum }}
checksum/extraConfigs: {{ .Values.extraConfigs | toYaml | sha256sum }}
checksum/extraSecrets: {{ .Values.extraSecrets | toYaml | sha256sum }}
@@ -50,7 +50,7 @@ spec:
release: {{ .Release.Name }}
spec:
securityContext:
- runAsUser: 0 # Needed in order to allow pip install to work in
bootstrap
+ runAsUser: {{ .Values.runAsUser }}
{{- if .Values.supersetNode.initContainers }}
initContainers:
{{- tpl (toYaml .Values.supersetNode.initContainers) . | nindent 6 }}
diff --git a/helm/superset/templates/init-job.yaml
b/helm/superset/templates/init-job.yaml
index 4645fcc..9a4530d 100644
--- a/helm/superset/templates/init-job.yaml
+++ b/helm/superset/templates/init-job.yaml
@@ -28,7 +28,7 @@ spec:
name: {{ template "superset.name" . }}-init-db
spec:
securityContext:
- runAsUser: 0 # Needed in order to allow pip install to work in
bootstrap
+ runAsUser: {{ .Values.runAsUser }}
{{- if .Values.init.initContainers }}
initContainers:
{{- tpl (toYaml .Values.init.initContainers) . | nindent 6 }}
@@ -57,6 +57,8 @@ spec:
readOnly: true
{{- end }}
command: {{ tpl (toJson .Values.init.command) . }}
+ resources:
+{{ toYaml .Values.init.resources | indent 10 }}
volumes:
- name: superset-config
secret:
diff --git a/helm/superset/templates/secret-superset-config.yaml
b/helm/superset/templates/secret-superset-config.yaml
index d8bd4f7..2f37da8 100644
--- a/helm/superset/templates/secret-superset-config.yaml
+++ b/helm/superset/templates/secret-superset-config.yaml
@@ -30,7 +30,7 @@ stringData:
superset_init.sh: |
{{- tpl .Values.init.initscript . | nindent 4 }}
superset_bootstrap.sh: |
-{{- include "superset-bootstrap" . | nindent 4 }}
+{{- tpl .Values.bootstrapScript . | nindent 4 }}
{{- if .Values.extraSecrets }}
{{- range $path, $config := .Values.extraSecrets }}
diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml
index 19a6d79..d927c3d 100644
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -21,15 +21,19 @@
replicaCount: 1
-## These requirements are used to build a requirements file which is then
applied on init
-## of superset containers
-additionalRequirements:
- - "psycopg2==2.8.5"
- - "redis==3.2.1"
-
-## These apt packages are applied on init of superset containers
-additionalAptPackages: {}
- # - nano
+# User ID directive. This user must have enough permissions to run the
bootstrap script
+# Runn containers as root is not recommended in production. Change this to
another UID - e.g. 1000 to be more secure
+runAsUser: 0
+
+# Install additional packages and do any other bootstrap configuration in this
script
+# For production clusters it's recommended to build own image with this step
done in CI
+bootstrapScript: |
+ #!/bin/bash
+ apt-get update -y &&\
+ apt-get install -y --no-install-recommends nano &&\
+ rm -rf /var/lib/apt/lists/*
+ pip install psycopg2==2.8.5 redis==3.2.1
+ if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{
.Values.runAsUser }}" > ~/bootstrap; fi
## The name of the secret which we will use to generate a superset_config.py
file
## Note: this secret must have the key superset_config.py in it and can
include other files as well
@@ -198,6 +202,16 @@ supersetCeleryBeat:
##
## Init job configuration
init:
+ # Configure resources
+ # Warning: fab commant consumes a lot of ram and can
+ # cause the process to be killed due to OOM if it exceeds limit
+ resources: {}
+ # limits:
+ # cpu:
+ # memory:
+ # requests:
+ # cpu:
+ # memory:
command:
- "/bin/sh"
- "-c"
