Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add: Security context constraints #3

Merged

Conversation

VanillaSpoon
Copy link

@VanillaSpoon VanillaSpoon commented Oct 4, 2023

Why are these changes needed?

This pr adds the Kuberay SCC to the repository to be deployed. The changes are added to both the Kustomize deployments.

Related issue number

closes red-hat-data-services/distributed-workloads#15

To check changes

Update the ray-operator/Makefile deploy to :

deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
	cd config/manager && $(KUSTOMIZE) edit set image kuberay/operator=${IMG}
	($(KUSTOMIZE) build config/openshift | kubectl create -f -) || ($(KUSTOMIZE) build config/openshift | kubectl replace -f -)

Kustomize:

  • From within the ray-operator directory, run make deploy -e IMG=<your-image

Check to ensure the run-as-ray-user SCC has been applied correctly, and ensure Users is set in the correct namespace (opendatahub):

 Users:                                                                    
  system:serviceaccount:opendatahub:kuberay-operator  

Also ensure the ray-operator, and rbacs are applied within the opendatahub namespace.

To check changes relating to using odh-operator variables:

Clone the opendatahub operator:
https://github.com/opendatahub-io/opendatahub-operator

Within getAllManifests.sh set the ray repository to :

    ["ray"]="VanillaSpoon:kuberay:SecurityContextConstraints:ray-operator/config:ray"

in components/ray/ray.go set your RayPath to :

	RayPath       = deploy.DefaultManifestPath + "/" + "ray/openshift"

and

		defaultKustomizePath := "openshift"

Set your image repository in the makefile.

Run make get-manifests to get all the manifests

make image -e IMAGE_BUILD_FLAGS="--build-arg USE_LOCAL=true" to build and push an image containing all the manifests.

make deploy -e IMG=<your-image>

On openshift go to your opendatahub-operator deployment and set your env variable in the yaml, this allows us to update the kuberay image.

   spec:
     containers:
       - resources:
           limits:
             cpu: 500m
             memory: 4Gi
           requests:
             cpu: 500m
             memory: 256Mi
         readinessProbe:
           httpGet:
             path: /readyz
             port: 8081
             scheme: HTTP
           initialDelaySeconds: 5
           timeoutSeconds: 1
           periodSeconds: 10
           successThreshold: 1
           failureThreshold: 3
         terminationMessagePath: /dev/termination-log
         name: manager
         command:
           - /manager
         livenessProbe:
           httpGet:
             path: /healthz
             port: 8081
             scheme: HTTP
           initialDelaySeconds: 15
           timeoutSeconds: 1
           periodSeconds: 20
           successThreshold: 1
           failureThreshold: 3
+          env:
+            - name: RELATED_IMAGE_ODH_KUBERAY_OPERATOR_CONTROLLER_IMAGE
+             value: <IMAGE-TO-SET-TO>

Now deploy a DataScienceCluster managing ray:

apiVersion: datasciencecluster.opendatahub.io/v1
kind: DataScienceCluster
metadata:
  name: test
spec:
  components:
    ray:
      managementState: Managed

From here, if you check out the opendatahub-operator logs, they will provide details of the manifests being updated ... │ Updating manifests : /opt/manifests/ray/openshift

Check out your pods in the opendatahub namespace, and kuberay will be there with the image you set previously.
Check out the SCC's and ensure run-as-ray-user is applied, with the correct namespace.

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • This PR is not tested :(

@anishasthana
Copy link
Member

Since we are only using the kustomize manifests for the ODH operator, I don't think we should change the existing helm manifests, just to make future rebases easier. @astefanutti wdyt?

ray-operator/config/default/kustomization.yaml Outdated Show resolved Hide resolved
ray-operator/config/rbac/kustomization.yaml Outdated Show resolved Hide resolved
helm-chart/kuberay-operator/values.yaml Outdated Show resolved Hide resolved
@VanillaSpoon VanillaSpoon force-pushed the SecurityContextConstraints branch from 27a4f5b to 391ae83 Compare October 6, 2023 11:07
@astefanutti
Copy link

opendatahub-io/opendatahub-operator#619 has been merged so the required namespace variable is injected by the ODH operator.

@astefanutti
Copy link

/lgtm

@astefanutti
Copy link

/approve

@astefanutti
Copy link

Thanks for the thorough testing @VanillaSpoon.

@astefanutti astefanutti merged commit 926fd4f into opendatahub-io:master Oct 18, 2023
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Move KubeRay SCCs to the ODH/KubeRay repo
3 participants