[
https://issues.apache.org/jira/browse/YUNIKORN-3132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18061488#comment-18061488
]
Wilfred Spiegelenburg edited comment on YUNIKORN-3132 at 3/5/26 6:59 AM:
-------------------------------------------------------------------------
Combined placeholder podspec that was tested for scc *restricted-v2* is
{code:java}
spec:
# Pod-level security settings
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Network setting
hostNetwork: false
containers:
- name: pause
image:
docker.example.com/yunikorn/pause@sha256:569cfa0ff435f3a076a1b06a1f45d772ee3f5d4fbf6b39242a573c0cff632d69
command: ["/pause"]
# Container-level security settings
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL{code}
Optionally allowing the user to override placeholder image, runAsUser,
runAsGroup and fsGroup
was (Author: JIRAUSER312345):
Combined placeholder podspec that was tested for scc *restricted-v2* is
{code:java}
spec:
# Pod-level security settings
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Network setting
hostNetwork: false
containers:
- name: pause
image:
docker-sandbox.infra.cloudera.com/amaheshwari/pause@sha256:569cfa0ff435f3a076a1b06a1f45d772ee3f5d4fbf6b39242a573c0cff632d69
command: ["/pause"]
# Container-level security settings
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL{code}
Optionally allowing the user to override placeholder image, runAsUser,
runAsGroup and fsGroup
> Pod & Container Security Context for placeholder pods to be hardened
> --------------------------------------------------------------------
>
> Key: YUNIKORN-3132
> URL: https://issues.apache.org/jira/browse/YUNIKORN-3132
> Project: Apache YuniKorn
> Issue Type: Improvement
> Components: shim - kubernetes
> Reporter: Shubham Mishra
> Assignee: Aditya Maheshwari
> Priority: Major
> Labels: pull-request-available
>
> Currently the security context for placeholder pods only sets non root user
> and groups -
> [https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
> {code:java}
> Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:
> &runAsUser, RunAsGroup: &runAsGroup, },{code}
> In many enterprise secure environments, this might not be enough and should
> be more restrictive by design (unless it breaks any functionality).
> Proposing to modify the placeholder.go to add following
> - *podSecurityContext:*
> {code:java}
> podSecurityContext:
> fsGroup:3000
> runAsGroup:3000
> runAsNonRoot: true
> runAsUser:1000{code}
> * *containerSecurityContext:*
> {code:java}
> containerSecurityContext:
> privileged: false
> allowPrivilegeEscalation: false
> readOnlyRootFilesystem: true
> capabilities:
> drop:
> -all{code}
> * *hostNetwork: false*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
