feat: Add configurable security context support to Katib controller pods#2618
feat: Add configurable security context support to Katib controller pods#2618jsonmp-k8 wants to merge 2 commits into
Conversation
|
🎉 Welcome to the Kubeflow Katib repo! 🎉 Thanks for opening your first PR! We're excited to have you onboard 🚀 Next steps:
Feel free to ask questions in the comments. Thanks again for contributing! 🙏 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Add explicit, per-component security context configuration to the KatibConfig API so that suggestion deployments, early stopping sidecars, and metrics collector sidecars can run with hardened security defaults. - Add PodSecurityContext field to SuggestionConfig for pod-level security - Add SecurityContext field to EarlyStoppingConfig and MetricsCollectorConfig for container-level security - Apply security contexts in composer (deployments) and webhook (sidecars) - Metrics collector config SecurityContext takes precedence over legacy InjectSecurityContext flag, preserving backward compatibility - Update all 6 katib-config.yaml manifests with hardened defaults (runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault) - Update deepcopy functions and add tests for all new fields Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
5cef4cf to
10b1353
Compare
Fix gofmt struct field alignment in inject_webhook_test.go and add non-root USER 1000 directive to all 11 Dockerfiles to comply with runAsNonRoot security context. Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
|
/retest |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. |
Summary
PodSecurityContextfor suggestions,SecurityContextfor early stopping and metrics collector containers)InjectSecurityContextflagkatib-config.yamlmanifests with hardened defaults (runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault)Test plan
go test ./pkg/apis/config/v1beta1/...— SecurityContext fields survive defaulting round-tripgo test ./pkg/controller.v1beta1/suggestion/composer/...— Deployment created with PodSecurityContext and early stopping SecurityContextgo test ./pkg/webhook/v1beta1/pod/...— Config SecurityContext takes precedence over legacy flag; fallback works; nil case preserved🤖 Generated with Claude Code