mirrors/kube-arangodb
1
0
Fork 0
mirror of https://github.com/arangodb/kube-arangodb.git synced 2024-12-14 11:57:37 +00:00
Code Activity

Adjust ML extension deployment for ContainerTemplate and PodTemplate (#1534)

Browse source
This commit is contained in:
Nikita Vaniasin 2023-12-11 11:52:38 +01:00 committed by GitHub
parent 041bae8810
commit d7e7757418
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 776 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

134
docs/api/ArangoMLExtension.V1Alpha1.md
View file

@ -2,6 +2,70 @@
## Spec ## Spec
### .spec.deployment.affinity
Type: `core.Affinity` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L37)</sup>
Affinity defines scheduling constraints for workload
Links:
* [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
***
### .spec.deployment.hostIPC
Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L33)</sup>
HostIPC defines to use the host's ipc namespace.
Default Value: `false`
***
### .spec.deployment.hostNetwork
Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L27)</sup>
HostNetwork requests Host network for this pod. Use the host's network namespace.
If this option is set, the ports that will be used must be specified.
Default Value: `false`
***
### .spec.deployment.hostPID
Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L30)</sup>
HostPID define to use the host's pid namespace.
Default Value: `false`
***
### .spec.deployment.nodeSelector
Type: `object` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L32)</sup>
NodeSelector is a selector that must be true for the workload to fit on a node.
Links:
* [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
***
### .spec.deployment.podSecurityContext
Type: `core.PodSecurityContext` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_pod.go#L29)</sup>
PodSecurityContext holds pod-level security attributes and common container settings.
Links:
* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
***
### .spec.deployment.prediction.image ### .spec.deployment.prediction.image
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup> Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup>
@ -47,6 +111,17 @@ Links:
*** ***
### .spec.deployment.prediction.securityContext
Type: `core.SecurityContext` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29)</sup>
PodSecurityContext holds pod-level security attributes and common container settings.
Links:
* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
***
### .spec.deployment.project.image ### .spec.deployment.project.image
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup> Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup>
@ -92,9 +167,20 @@ Links:
*** ***
### .spec.deployment.project.securityContext
Type: `core.SecurityContext` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29)</sup>
PodSecurityContext holds pod-level security attributes and common container settings.
Links:
* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
***
### .spec.deployment.replicas ### .spec.deployment.replicas
Type: `integer` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment.go#L32)</sup> Type: `integer` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment.go#L33)</sup>
Replicas defines the number of replicas running specified components. No replicas created if no components are defined. Replicas defines the number of replicas running specified components. No replicas created if no components are defined.
@ -102,6 +188,17 @@ Default Value: `1`
*** ***
### .spec.deployment.schedulerName
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L47)</sup>
SchedulerName specifies, the pod will be dispatched by specified scheduler.
If not specified, the pod will be dispatched by default scheduler.
Default Value: `""`
***
### .spec.deployment.service.type ### .spec.deployment.service.type
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment_service.go#L37)</sup> Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/ml/v1alpha1/extension_spec_deployment_service.go#L37)</sup>
@ -119,6 +216,30 @@ Possible Values:
*** ***
### .spec.deployment.shareProcessNamespace
Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/container_namespace.go#L39)</sup>
ShareProcessNamespace defines to share a single process namespace between all of the containers in a pod.
When this is set containers will be able to view and signal processes from other containers
in the same pod, and the first process in each container will not be assigned PID 1.
HostPID and ShareProcessNamespace cannot both be set.
Default Value: `false`
***
### .spec.deployment.tolerations
Type: `[]core.Toleration` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/scheduling.go#L42)</sup>
Tolerations defines tolerations
Links:
* [Kubernetes docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
***
### .spec.deployment.training.image ### .spec.deployment.training.image
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup> Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup>
@ -164,6 +285,17 @@ Links:
*** ***
### .spec.deployment.training.securityContext
Type: `core.SecurityContext` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/security_container.go#L29)</sup>
PodSecurityContext holds pod-level security attributes and common container settings.
Links:
* [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
***
### .spec.image ### .spec.image
Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup> Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.35/pkg/apis/shared/v1/image.go#L31)</sup>

13
pkg/apis/ml/v1alpha1/extension_spec_deployment.go
View file

@ -22,6 +22,7 @@ package v1alpha1
import ( import (
"github.com/arangodb/kube-arangodb/pkg/apis/shared" "github.com/arangodb/kube-arangodb/pkg/apis/shared"
sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
"github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util"
"github.com/arangodb/kube-arangodb/pkg/util/errors" "github.com/arangodb/kube-arangodb/pkg/util/errors"
) )
@ -34,6 +35,9 @@ type ArangoMLExtensionSpecDeployment struct {
// Service defines how components will be exposed // Service defines how components will be exposed
Service *ArangoMLExtensionSpecDeploymentService `json:"service,omitempty"` Service *ArangoMLExtensionSpecDeploymentService `json:"service,omitempty"`
// PodTemplate defines base template for pods
*sharedApi.PodTemplate
// Prediction defines how Prediction workload will be deployed // Prediction defines how Prediction workload will be deployed
Prediction *ArangoMLExtensionSpecDeploymentComponent `json:"prediction,omitempty"` Prediction *ArangoMLExtensionSpecDeploymentComponent `json:"prediction,omitempty"`
// Training defines how Training workload will be deployed // Training defines how Training workload will be deployed
@ -49,6 +53,14 @@ func (s *ArangoMLExtensionSpecDeployment) GetReplicas() int32 {
return *s.Replicas return *s.Replicas
} }
func (s *ArangoMLExtensionSpecDeployment) GetPodTemplate() *sharedApi.PodTemplate {
if s == nil || s.PodTemplate == nil {
return nil
}
return s.PodTemplate
}
func (s *ArangoMLExtensionSpecDeployment) GetPrediction() *ArangoMLExtensionSpecDeploymentComponent { func (s *ArangoMLExtensionSpecDeployment) GetPrediction() *ArangoMLExtensionSpecDeploymentComponent {
if s == nil { if s == nil {
return nil return nil
@ -108,6 +120,7 @@ func (s *ArangoMLExtensionSpecDeployment) Validate() error {
errs := []error{ errs := []error{
shared.PrefixResourceErrors("service", shared.ValidateOptional(s.GetService(), func(s ArangoMLExtensionSpecDeploymentService) error { return s.Validate() })), shared.PrefixResourceErrors("service", shared.ValidateOptional(s.GetService(), func(s ArangoMLExtensionSpecDeploymentService) error { return s.Validate() })),
s.GetPodTemplate().Validate(),
} }
if s.GetReplicas() < 0 || s.GetReplicas() > 10 { if s.GetReplicas() < 0 || s.GetReplicas() > 10 {

25
pkg/apis/ml/v1alpha1/extension_spec_deployment_component.go
View file

@ -30,12 +30,8 @@ type ArangoMLExtensionSpecDeploymentComponent struct {
// Port defines on which port the container will be listening for connections // Port defines on which port the container will be listening for connections
Port *int32 `json:"port,omitempty"` Port *int32 `json:"port,omitempty"`
// Image defines image used for the component // ContainerTemplate Keeps the information about Container configuration
*sharedApi.Image `json:",inline"` *sharedApi.ContainerTemplate `json:",inline"`
// Resources holds resource requests & limits for container
// If not specified, default values will be used
*sharedApi.Resources `json:",inline"`
} }
func (s *ArangoMLExtensionSpecDeploymentComponent) GetPort() int32 { func (s *ArangoMLExtensionSpecDeploymentComponent) GetPort() int32 {
@ -45,20 +41,12 @@ func (s *ArangoMLExtensionSpecDeploymentComponent) GetPort() int32 {
return *s.Port return *s.Port
} }
func (s *ArangoMLExtensionSpecDeploymentComponent) GetImage() *sharedApi.Image { func (s *ArangoMLExtensionSpecDeploymentComponent) GetContainerTemplate() *sharedApi.ContainerTemplate {
if s == nil || s.Image == nil { if s == nil || s.ContainerTemplate == nil {
return nil return nil
} }
return s.Image return s.ContainerTemplate
}
func (s *ArangoMLExtensionSpecDeploymentComponent) GetResources() *sharedApi.Resources {
if s == nil || s.Resources == nil {
return nil
}
return s.Resources
} }
func (s *ArangoMLExtensionSpecDeploymentComponent) Validate() error { func (s *ArangoMLExtensionSpecDeploymentComponent) Validate() error {
@ -73,8 +61,7 @@ func (s *ArangoMLExtensionSpecDeploymentComponent) Validate() error {
} }
err = append(err, err = append(err,
shared.PrefixResourceErrors("resources", s.GetResources().Validate()), s.GetContainerTemplate().Validate(),
shared.PrefixResourceErrors("image", shared.ValidateRequired(s.GetImage(), func(obj sharedApi.Image) error { return obj.Validate() })),
) )
return shared.WithErrors(err...) return shared.WithErrors(err...)

16
pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go generated
View file

@ -363,6 +363,11 @@ func (in *ArangoMLExtensionSpecDeployment) DeepCopyInto(out *ArangoMLExtensionSp
*out = new(ArangoMLExtensionSpecDeploymentService) *out = new(ArangoMLExtensionSpecDeploymentService)
(*in).DeepCopyInto(*out) (*in).DeepCopyInto(*out)
} }
if in.PodTemplate != nil {
in, out := &in.PodTemplate, &out.PodTemplate
*out = new(sharedv1.PodTemplate)
(*in).DeepCopyInto(*out)
}
if in.Prediction != nil { if in.Prediction != nil {
in, out := &in.Prediction, &out.Prediction in, out := &in.Prediction, &out.Prediction
*out = new(ArangoMLExtensionSpecDeploymentComponent) *out = new(ArangoMLExtensionSpecDeploymentComponent)
@ -399,14 +404,9 @@ func (in *ArangoMLExtensionSpecDeploymentComponent) DeepCopyInto(out *ArangoMLEx
*out = new(int32) *out = new(int32)
**out = **in **out = **in
} }
if in.Image != nil { if in.ContainerTemplate != nil {
in, out := &in.Image, &out.Image in, out := &in.ContainerTemplate, &out.ContainerTemplate
*out = new(sharedv1.Image) *out = new(sharedv1.ContainerTemplate)
(*in).DeepCopyInto(*out)
}
if in.Resources != nil {
in, out := &in.Resources, &out.Resources
*out = new(sharedv1.Resources)
(*in).DeepCopyInto(*out) (*in).DeepCopyInto(*out)
} }
return return

585
pkg/crd/crds/ml-extension.schema.generated.yaml
View file

@ -6,6 +6,382 @@ v1alpha1:
deployment: deployment:
description: Deployment specifies how the ML extension will be deployed into cluster description: Deployment specifies how the ML extension will be deployed into cluster
properties: properties:
affinity:
description: Affinity defines scheduling constraints for workload
properties:
nodeAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
preference:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
type: object
weight:
format: int32
type: integer
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
properties:
nodeSelectorTerms:
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchFields:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
type: object
type: array
type: object
type: object
podAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
type: object
type: array
type: object
podAntiAffinity:
properties:
preferredDuringSchedulingIgnoredDuringExecution:
items:
properties:
podAffinityTerm:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
items:
properties:
labelSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
namespaces:
items:
type: string
type: array
topologyKey:
type: string
type: object
type: array
type: object
type: object
hostIPC:
description: HostIPC defines to use the host's ipc namespace.
type: boolean
hostNetwork:
description: |-
HostNetwork requests Host network for this pod. Use the host's network namespace.
If this option is set, the ports that will be used must be specified.
type: boolean
hostPID:
description: HostPID define to use the host's pid namespace.
type: boolean
nodeSelector:
additionalProperties:
type: string
description: NodeSelector is a selector that must be true for the workload to fit on a node.
type: object
podSecurityContext:
description: PodSecurityContext holds pod-level security attributes and common container settings.
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
prediction: prediction:
description: Prediction defines how Prediction workload will be deployed description: Prediction defines how Prediction workload will be deployed
properties: properties:
@ -36,6 +412,66 @@ v1alpha1:
type: string type: string
type: object type: object
type: object type: object
securityContext:
description: PodSecurityContext holds pod-level security attributes and common container settings.
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
type: object type: object
project: project:
description: Project defines how Project workload will be deployed description: Project defines how Project workload will be deployed
@ -67,11 +503,76 @@ v1alpha1:
type: string type: string
type: object type: object
type: object type: object
securityContext:
description: PodSecurityContext holds pod-level security attributes and common container settings.
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
type: object type: object
replicas: replicas:
description: Replicas defines the number of replicas running specified components. No replicas created if no components are defined. description: Replicas defines the number of replicas running specified components. No replicas created if no components are defined.
format: int32 format: int32
type: integer type: integer
schedulerName:
description: |-
SchedulerName specifies, the pod will be dispatched by specified scheduler.
If not specified, the pod will be dispatched by default scheduler.
type: string
service: service:
description: Service defines how components will be exposed description: Service defines how components will be exposed
properties: properties:
@ -84,6 +585,30 @@ v1alpha1:
- ExternalName - ExternalName
type: string type: string
type: object type: object
shareProcessNamespace:
description: |-
ShareProcessNamespace defines to share a single process namespace between all of the containers in a pod.
When this is set containers will be able to view and signal processes from other containers
in the same pod, and the first process in each container will not be assigned PID 1.
HostPID and ShareProcessNamespace cannot both be set.
type: boolean
tolerations:
description: Tolerations defines tolerations
items:
properties:
effect:
type: string
key:
type: string
operator:
type: string
tolerationSeconds:
format: int64
type: integer
value:
type: string
type: object
type: array
training: training:
description: Training defines how Training workload will be deployed description: Training defines how Training workload will be deployed
properties: properties:
@ -114,6 +639,66 @@ v1alpha1:
type: string type: string
type: object type: object
type: object type: object
securityContext:
description: PodSecurityContext holds pod-level security attributes and common container settings.
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
type: object type: object
type: object type: object
image: image:

31
pkg/util/k8sutil/pods.go
View file

@ -802,3 +802,34 @@ func InjectContainerTemplate(spec *sharedApi.ContainerTemplate, pod *core.PodTem
return nil return nil
} }
func CreateDefaultContainerTemplate(image *sharedApi.Image) *sharedApi.ContainerTemplate {
return &sharedApi.ContainerTemplate{
Image: image.DeepCopy(),
Resources: &sharedApi.Resources{
Resources: &core.ResourceRequirements{
Requests: core.ResourceList{
core.ResourceCPU: resource.MustParse("100m"),
core.ResourceMemory: resource.MustParse("128Mi"),
},
Limits: core.ResourceList{
core.ResourceCPU: resource.MustParse("200m"),
core.ResourceMemory: resource.MustParse("256Mi"),
},
},
},
SecurityContainer: &sharedApi.SecurityContainer{
SecurityContext: &core.SecurityContext{
RunAsUser: util.NewType[int64](shared.DefaultRunAsUser),
RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup),
RunAsNonRoot: util.NewType(true),
ReadOnlyRootFilesystem: util.NewType(true),
Capabilities: &core.Capabilities{
Drop: []core.Capability{
"ALL",
},
},
},
},
}
}

28
pkg/util/k8sutil/security_context.go
View file

@ -24,9 +24,7 @@ import (
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1" api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
"github.com/arangodb/kube-arangodb/pkg/apis/shared"
"github.com/arangodb/kube-arangodb/pkg/deployment/features" "github.com/arangodb/kube-arangodb/pkg/deployment/features"
"github.com/arangodb/kube-arangodb/pkg/util"
) )
// CreateSecurityContext returns security context. // CreateSecurityContext returns security context.
@ -39,29 +37,3 @@ func CreateSecurityContext(spec *api.ServerGroupSpecSecurityContext) *core.Secur
func CreatePodSecurityContext(spec *api.ServerGroupSpecSecurityContext) *core.PodSecurityContext { func CreatePodSecurityContext(spec *api.ServerGroupSpecSecurityContext) *core.PodSecurityContext {
return spec.NewPodSecurityContext(features.SecuredContainers().Enabled()) return spec.NewPodSecurityContext(features.SecuredContainers().Enabled())
} }
func CreateSecurePodSecurityContext() *core.PodSecurityContext {
psc := &core.PodSecurityContext{
RunAsUser: util.NewType[int64](shared.DefaultRunAsUser),
RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup),
RunAsNonRoot: util.NewType(true),
FSGroup: util.NewType[int64](shared.DefaultFSGroup),
}
return psc
}
func CreateDefaultSecurityContext() *core.SecurityContext {
r := &core.SecurityContext{
RunAsUser: util.NewType[int64](shared.DefaultRunAsUser),
RunAsGroup: util.NewType[int64](shared.DefaultRunAsGroup),
RunAsNonRoot: util.NewType(true),
ReadOnlyRootFilesystem: util.NewType(true),
Capabilities: &core.Capabilities{
Drop: []core.Capability{
"ALL",
},
},
}
return r
}