feat(manifests): add securityContext to deployments

Set `seccompProfile`, forbid containers to run as root, and disable unnecessary system calls. This applies to: - Model registry itself - Example database (MySQL and PostgreSQL) - Model registry UI Signed-off-by: Paul Boyd <[email protected]>
kubeflow · Feb 6, 2025 · 021a0b8 · 021a0b8
1 parent 5cbf43c
commit 021a0b8
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 2 deletions.
diff --git a/manifests/kustomize/base/model-registry-deployment.yaml b/manifests/kustomize/base/model-registry-deployment.yaml
@@ -16,6 +16,10 @@ spec:
       labels:
         component: model-registry-server
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
         - name: rest-container
           args:
@@ -44,6 +48,11 @@ spec:
             tcpSocket:
               port: http-api
             timeoutSeconds: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
         - name: grpc-container
           # ! Sync to the same MLMD version:
           # * backend/metadata_writer/requirements.in and requirements.txt
@@ -102,4 +111,11 @@ spec:
             initialDelaySeconds: 3
             periodSeconds: 5
             timeoutSeconds: 2
+          securityContext:
+            runAsUser: 70
+            runAsGroup: 70
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
       serviceAccountName: model-registry-server
diff --git a/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml b/manifests/kustomize/options/ui/base/model-registry-ui-deployment.yaml
@@ -15,6 +15,10 @@ spec:
         app: model-registry-ui
     spec: 
       serviceAccountName: model-registry-ui
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: model-registry-ui
         image: model-registry-ui-image
@@ -51,3 +55,8 @@ spec:
           - containerPort: 8080
         args:
           - "--port=8080"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
diff --git a/manifests/kustomize/options/ui/overlays/standalone/kustomization.yaml b/manifests/kustomize/options/ui/overlays/standalone/kustomization.yaml
@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: kubeflow
 
 resources:
 - ../../base

diff --git a/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml b/manifests/kustomize/overlays/db/model-registry-db-deployment.yaml
@@ -19,6 +19,10 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: db-container
         image: mysql:8.3.0
@@ -46,6 +50,13 @@ spec:
         volumeMounts:
         - name: metadata-mysql
           mountPath: /var/lib/mysql
+        securityContext:
+          runAsUser: 999
+          runAsGroup: 999
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: metadata-mysql
         persistentVolumeClaim:

diff --git a/manifests/kustomize/overlays/postgres/kustomization.yaml b/manifests/kustomize/overlays/postgres/kustomization.yaml
@@ -39,7 +39,7 @@ vars:
 - name: POSTGRES_PORT
   objref:
     kind: ConfigMap
-    name: model-registry-db-parameters
+    name: metadata-postgres-db-parameters
     apiVersion: v1
   fieldref:
     fieldpath: data.POSTGRES_PORT
diff --git a/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml b/manifests/kustomize/overlays/postgres/model-registry-db-deployment.yaml
@@ -19,6 +19,10 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: db-container
         image: postgres
@@ -36,8 +40,14 @@ spec:
         volumeMounts:
         - name: metadata-postgres
           mountPath: /var/lib/postgresql/data
+        securityContext:
+          runAsUser: 70
+          runAsGroup: 70
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: metadata-postgres
         persistentVolumeClaim:
           claimName: metadata-postgres
-