Skip to content

feat: Add configurable security context support to Katib controller pods#2618

Closed
jsonmp-k8 wants to merge 2 commits into
kubeflow:masterfrom
jsonmp-k8:feat/security-context-support
Closed

feat: Add configurable security context support to Katib controller pods#2618
jsonmp-k8 wants to merge 2 commits into
kubeflow:masterfrom
jsonmp-k8:feat/security-context-support

Conversation

@jsonmp-k8

Copy link
Copy Markdown

Summary

  • Add explicit, per-component security context fields to the KatibConfig API (PodSecurityContext for suggestions, SecurityContext for early stopping and metrics collector containers)
  • Apply security contexts in the composer (suggestion deployments) and webhook (metrics collector sidecars), with backward compatibility for the legacy InjectSecurityContext flag
  • Update all 6 katib-config.yaml manifests with hardened defaults (runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault)

Test plan

  • go test ./pkg/apis/config/v1beta1/... — SecurityContext fields survive defaulting round-trip
  • go test ./pkg/controller.v1beta1/suggestion/composer/... — Deployment created with PodSecurityContext and early stopping SecurityContext
  • go test ./pkg/webhook/v1beta1/pod/... — Config SecurityContext takes precedence over legacy flag; fallback works; nil case preserved

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Feb 7, 2026

Copy link
Copy Markdown

🎉 Welcome to the Kubeflow Katib repo! 🎉

Thanks for opening your first PR! We're excited to have you onboard 🚀

Next steps:

Feel free to ask questions in the comments. Thanks again for contributing! 🙏

@google-oss-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign electronic-waste for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Add explicit, per-component security context configuration to the
KatibConfig API so that suggestion deployments, early stopping sidecars,
and metrics collector sidecars can run with hardened security defaults.

- Add PodSecurityContext field to SuggestionConfig for pod-level security
- Add SecurityContext field to EarlyStoppingConfig and MetricsCollectorConfig
  for container-level security
- Apply security contexts in composer (deployments) and webhook (sidecars)
- Metrics collector config SecurityContext takes precedence over legacy
  InjectSecurityContext flag, preserving backward compatibility
- Update all 6 katib-config.yaml manifests with hardened defaults
  (runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault)
- Update deepcopy functions and add tests for all new fields

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@jsonmp-k8 jsonmp-k8 force-pushed the feat/security-context-support branch from 5cef4cf to 10b1353 Compare February 7, 2026 04:21
Fix gofmt struct field alignment in inject_webhook_test.go and add
non-root USER 1000 directive to all 11 Dockerfiles to comply with
runAsNonRoot security context.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

@andreyvelich andreyvelich left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@andreyvelich

Copy link
Copy Markdown
Member

/retest

@github-actions

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown

This pull request has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

@github-actions github-actions Bot closed this Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants