Skip to content

Commit

Permalink
1120 read only file system (#1049)
Browse files Browse the repository at this point in the history 
* add property UseReadOnlyFileSystem to RadixDeployment

* add UseReadOnlyFileSystem to radixjobcomponent test

* update test cases and add type RadixEmptyDirVolumeMount

* started refactor of volume mount validation

* refactor RA validation

* adding volume mount unit tests

* RA validatation tests for volumeMount

* added test for deployment emptyDir

* add UseReadOnlyFileSystem to container security context

* move csi provisioner config

* rename from UseReadOnlyFileSystem to ReadOnlyFileSystem

* update chart version

---------

Co-authored-by: Anneli <[email protected]>
  • Loading branch information
@nilsgstrabo @anneliawa
nilsgstrabo and anneliawa authored Feb 23, 2024
1 parent c6f64c0 commit c953b38
Show file tree
Hide file tree
Showing 26 changed files with 1,554 additions and 838 deletions.
4 changes: 2 additions & 2 deletions charts/radix-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: radix-operator
version: 1.29.6
appVersion: 1.49.6
version: 1.30.0
appVersion: 1.50.0
kubeVersion: ">=1.24.0"
description: Radix Operator
keywords:
Expand Down
58 changes: 58 additions & 0 deletions charts/radix-operator/templates/radixapplication.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,9 @@ spec:
description: Defines minimum number of required GPUs.
type: string
type: object
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
replicas:
description: 'Number of desired replicas. More info: https://www.radix.equinor.com/references/reference-radix-config/#replicas'
minimum: 0
Expand Down Expand Up @@ -726,6 +729,12 @@ spec:
skuName:
description: 'SKU Type of Azure storage. More
info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types'
enum:
- Standard_LRS
- Premium_LRS
- Standard_GRS
- Standard_RAGRS
- ""
type: string
streaming:
description: 'Configure Streaming mode. Used
Expand Down Expand Up @@ -781,11 +790,27 @@ spec:
Default false. This must be turned on when
HNS enabled account is mounted.
type: boolean
required:
- container
type: object
container:
description: 'Deprecated. Only required by the deprecated
type: blob.'
type: string
emptyDir:
description: EmptyDir settings for EmptyDir volume
properties:
sizeLimit:
anyOf:
- type: integer
- type: string
description: SizeLimit defines the size of the
emptyDir volume
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
required:
- sizeLimit
type: object
gid:
description: GID defines the group ID (number) which
will be set as owner of the mounted volume. Deprecated,
Expand All @@ -794,6 +819,7 @@ spec:
name:
description: User-defined name of the volume mount.
Must be unique for the component.
maxLength: 40
minLength: 1
type: string
path:
Expand Down Expand Up @@ -935,6 +961,9 @@ spec:
maxLength: 15
pattern: ^(([a-z0-9][-a-z0-9]*)?[a-z0-9])?$
type: string
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Configures CPU and memory resources for the component.
More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common'
Expand Down Expand Up @@ -1353,6 +1382,9 @@ spec:
minLength: 1
type: string
type: object
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Environment specific configuration for CPU
and memory resources. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-3'
Expand Down Expand Up @@ -1616,6 +1648,12 @@ spec:
skuName:
description: 'SKU Type of Azure storage. More
info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types'
enum:
- Standard_LRS
- Premium_LRS
- Standard_GRS
- Standard_RAGRS
- ""
type: string
streaming:
description: 'Configure Streaming mode. Used
Expand Down Expand Up @@ -1671,11 +1709,27 @@ spec:
Default false. This must be turned on when
HNS enabled account is mounted.
type: boolean
required:
- container
type: object
container:
description: 'Deprecated. Only required by the deprecated
type: blob.'
type: string
emptyDir:
description: EmptyDir settings for EmptyDir volume
properties:
sizeLimit:
anyOf:
- type: integer
- type: string
description: SizeLimit defines the size of the
emptyDir volume
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
required:
- sizeLimit
type: object
gid:
description: GID defines the group ID (number) which
will be set as owner of the mounted volume. Deprecated,
Expand All @@ -1684,6 +1738,7 @@ spec:
name:
description: User-defined name of the volume mount.
Must be unique for the component.
maxLength: 40
minLength: 1
type: string
path:
Expand Down Expand Up @@ -1833,6 +1888,9 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Configures CPU and memory resources for the job.
More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common-2'
Expand Down
82 changes: 82 additions & 0 deletions json-schema/radixapplication.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,10 @@
},
"type": "object"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"replicas": {
"description": "Number of desired replicas. More info: https://www.radix.equinor.com/references/reference-radix-config/#replicas",
"minimum": 0,
Expand Down Expand Up @@ -708,6 +712,13 @@
},
"skuName": {
"description": "SKU Type of Azure storage. More info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types",
"enum": [
"Standard_LRS",
"Premium_LRS",
"Standard_GRS",
"Standard_RAGRS",
""
],
"type": "string"
},
"streaming": {
Expand Down Expand Up @@ -759,18 +770,44 @@
"type": "boolean"
}
},
"required": [
"container"
],
"type": "object"
},
"container": {
"description": "Deprecated. Only required by the deprecated type: blob.",
"type": "string"
},
"emptyDir": {
"description": "EmptyDir settings for EmptyDir volume",
"properties": {
"sizeLimit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "SizeLimit defines the size of the emptyDir volume",
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
}
},
"required": [
"sizeLimit"
],
"type": "object"
},
"gid": {
"description": "GID defines the group ID (number) which will be set as owner of the mounted volume. Deprecated, use BlobFuse2 or AzureFile instead.",
"type": "string"
},
"name": {
"description": "User-defined name of the volume mount. Must be unique for the component.",
"maxLength": 40,
"minLength": 1,
"type": "string"
},
Expand Down Expand Up @@ -935,6 +972,10 @@
"pattern": "^(([a-z0-9][-a-z0-9]*)?[a-z0-9])?$",
"type": "string"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Configures CPU and memory resources for the component. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common",
"properties": {
Expand Down Expand Up @@ -1392,6 +1433,10 @@
},
"type": "object"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Environment specific configuration for CPU and memory resources. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-3",
"properties": {
Expand Down Expand Up @@ -1638,6 +1683,13 @@
},
"skuName": {
"description": "SKU Type of Azure storage. More info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types",
"enum": [
"Standard_LRS",
"Premium_LRS",
"Standard_GRS",
"Standard_RAGRS",
""
],
"type": "string"
},
"streaming": {
Expand Down Expand Up @@ -1689,18 +1741,44 @@
"type": "boolean"
}
},
"required": [
"container"
],
"type": "object"
},
"container": {
"description": "Deprecated. Only required by the deprecated type: blob.",
"type": "string"
},
"emptyDir": {
"description": "EmptyDir settings for EmptyDir volume",
"properties": {
"sizeLimit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "SizeLimit defines the size of the emptyDir volume",
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
}
},
"required": [
"sizeLimit"
],
"type": "object"
},
"gid": {
"description": "GID defines the group ID (number) which will be set as owner of the mounted volume. Deprecated, use BlobFuse2 or AzureFile instead.",
"type": "string"
},
"name": {
"description": "User-defined name of the volume mount. Must be unique for the component.",
"maxLength": 40,
"minLength": 1,
"type": "string"
},
Expand Down Expand Up @@ -1874,6 +1952,10 @@
],
"x-kubernetes-list-type": "map"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Configures CPU and memory resources for the job. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common-2",
"properties": {
Expand Down
3 changes: 2 additions & 1 deletion pkg/apis/batch/kubejob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,14 +230,15 @@ func (s *syncer) getContainers(rd *radixv1.RadixDeployment, jobComponent *radixv
resources := s.getContainerResources(batchJob, jobComponent)

image := getJobImage(jobComponent, batchJob)
securityContext := securitycontext.Container(securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault), securitycontext.WithReadOnlyRootFileSystem(jobComponent.GetReadOnlyFileSystem()))
container := corev1.Container{
Name: jobComponent.Name,
Image: image,
ImagePullPolicy: corev1.PullAlways,
Env: environmentVariables,
Ports: ports,
VolumeMounts: volumeMounts,
SecurityContext: securitycontext.Container(securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault)),
SecurityContext: securityContext,
Resources: resources,
}

Expand Down
Loading

0 comments on commit c953b38

Please sign in to comment.