Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1120 read only file system #1049

Merged
merged 27 commits into from
Feb 23, 2024
Merged

1120 read only file system #1049

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
5e05d8a
add property UseReadOnlyFileSystem to RadixDeployment
anneliawa Jan 11, 2024
1c5173c
add UseReadOnlyFileSystem to radixjobcomponent test
anneliawa Jan 11, 2024
4d59835
merge master
anneliawa Jan 19, 2024
10128db
fix loop variable scope
anneliawa Jan 19, 2024
48f7bc2
update test cases and add type RadixEmptyDirVolumeMount
anneliawa Jan 19, 2024
41a7276
Merge branch 'master' into 1120-readOnlyFileSystem
anneliawa Jan 26, 2024
392b0fa
started refactor of volume mount validation
nilsgstrabo Feb 2, 2024
ea6b476
refactor RA validation
nilsgstrabo Feb 5, 2024
e89c7a8
adding volume mount unit tests
nilsgstrabo Feb 5, 2024
ef14809
RA validatation tests for volumeMount
nilsgstrabo Feb 6, 2024
ecfe7ab
continue fixing tests
nilsgstrabo Feb 6, 2024
833dbe8
revert tests
nilsgstrabo Feb 7, 2024
1c7ade3
revert volume mount naming
nilsgstrabo Feb 7, 2024
dc87b4d
refactor volume mount names
nilsgstrabo Feb 7, 2024
020f31c
cleanup
nilsgstrabo Feb 7, 2024
c15cff3
added test for deployment emptyDir
nilsgstrabo Feb 7, 2024
84b03c1
Merge branch 'master' into 1120-readOnlyFileSystem
anneliawa Feb 9, 2024
7b07700
remove comments
anneliawa Feb 9, 2024
6f5607a
add UseReadOnlyFileSystem to container security context
anneliawa Feb 9, 2024
f7c38c6
fix test
nilsgstrabo Feb 9, 2024
482f940
move csi provisioner config
nilsgstrabo Feb 9, 2024
9221f38
update chart version
nilsgstrabo Feb 14, 2024
bb0c0b8
ranem from UseReadOnlyFileSystem to ReadOnlyFileSystem
nilsgstrabo Feb 14, 2024
e2fa697
Adjust test descriptions
anneliawa Feb 16, 2024
77a8e79
update charts
anneliawa Feb 23, 2024
80bd983
adjust chart
anneliawa Feb 23, 2024
5c4338e
adjust charts
anneliawa Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/radix-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: radix-operator
version: 1.29.5
appVersion: 1.49.5
version: 1.30.0
appVersion: 1.50.0
kubeVersion: ">=1.24.0"
description: Radix Operator
keywords:
Expand Down
58 changes: 58 additions & 0 deletions charts/radix-operator/templates/radixapplication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,9 @@ spec:
description: Defines minimum number of required GPUs.
type: string
type: object
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
replicas:
description: 'Number of desired replicas. More info: https://www.radix.equinor.com/references/reference-radix-config/#replicas'
minimum: 0
Expand Down Expand Up @@ -726,6 +729,12 @@ spec:
skuName:
description: 'SKU Type of Azure storage. More
info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types'
enum:
- Standard_LRS
- Premium_LRS
- Standard_GRS
- Standard_RAGRS
- ""
type: string
streaming:
description: 'Configure Streaming mode. Used
Expand Down Expand Up @@ -781,11 +790,27 @@ spec:
Default false. This must be turned on when
HNS enabled account is mounted.
type: boolean
required:
- container
type: object
container:
description: 'Deprecated. Only required by the deprecated
type: blob.'
type: string
emptyDir:
description: EmptyDir settings for EmptyDir volume
properties:
sizeLimit:
anyOf:
- type: integer
- type: string
description: SizeLimit defines the size of the
emptyDir volume
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
required:
- sizeLimit
type: object
gid:
description: GID defines the group ID (number) which
will be set as owner of the mounted volume. Deprecated,
Expand All @@ -794,6 +819,7 @@ spec:
name:
description: User-defined name of the volume mount.
Must be unique for the component.
maxLength: 40
minLength: 1
type: string
path:
Expand Down Expand Up @@ -935,6 +961,9 @@ spec:
maxLength: 15
pattern: ^(([a-z0-9][-a-z0-9]*)?[a-z0-9])?$
type: string
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Configures CPU and memory resources for the component.
More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common'
Expand Down Expand Up @@ -1353,6 +1382,9 @@ spec:
minLength: 1
type: string
type: object
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Environment specific configuration for CPU
and memory resources. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-3'
Expand Down Expand Up @@ -1616,6 +1648,12 @@ spec:
skuName:
description: 'SKU Type of Azure storage. More
info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types'
enum:
- Standard_LRS
- Premium_LRS
- Standard_GRS
- Standard_RAGRS
- ""
type: string
streaming:
description: 'Configure Streaming mode. Used
Expand Down Expand Up @@ -1671,11 +1709,27 @@ spec:
Default false. This must be turned on when
HNS enabled account is mounted.
type: boolean
required:
- container
type: object
container:
description: 'Deprecated. Only required by the deprecated
type: blob.'
type: string
emptyDir:
description: EmptyDir settings for EmptyDir volume
properties:
sizeLimit:
anyOf:
- type: integer
- type: string
description: SizeLimit defines the size of the
emptyDir volume
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
required:
- sizeLimit
type: object
gid:
description: GID defines the group ID (number) which
will be set as owner of the mounted volume. Deprecated,
Expand All @@ -1684,6 +1738,7 @@ spec:
name:
description: User-defined name of the volume mount.
Must be unique for the component.
maxLength: 40
minLength: 1
type: string
path:
Expand Down Expand Up @@ -1833,6 +1888,9 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
readOnlyFileSystem:
description: Controls if the filesystem shall be read-only.
type: boolean
resources:
description: 'Configures CPU and memory resources for the job.
More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common-2'
Expand Down
82 changes: 82 additions & 0 deletions json-schema/radixapplication.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,10 @@
},
"type": "object"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"replicas": {
"description": "Number of desired replicas. More info: https://www.radix.equinor.com/references/reference-radix-config/#replicas",
"minimum": 0,
Expand Down Expand Up @@ -708,6 +712,13 @@
},
"skuName": {
"description": "SKU Type of Azure storage. More info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types",
"enum": [
"Standard_LRS",
"Premium_LRS",
"Standard_GRS",
"Standard_RAGRS",
""
],
"type": "string"
},
"streaming": {
Expand Down Expand Up @@ -759,18 +770,44 @@
"type": "boolean"
}
},
"required": [
"container"
],
"type": "object"
},
"container": {
"description": "Deprecated. Only required by the deprecated type: blob.",
"type": "string"
},
"emptyDir": {
"description": "EmptyDir settings for EmptyDir volume",
"properties": {
"sizeLimit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "SizeLimit defines the size of the emptyDir volume",
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
}
},
"required": [
"sizeLimit"
],
"type": "object"
},
"gid": {
"description": "GID defines the group ID (number) which will be set as owner of the mounted volume. Deprecated, use BlobFuse2 or AzureFile instead.",
"type": "string"
},
"name": {
"description": "User-defined name of the volume mount. Must be unique for the component.",
"maxLength": 40,
"minLength": 1,
"type": "string"
},
Expand Down Expand Up @@ -935,6 +972,10 @@
"pattern": "^(([a-z0-9][-a-z0-9]*)?[a-z0-9])?$",
"type": "string"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Configures CPU and memory resources for the component. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common",
"properties": {
Expand Down Expand Up @@ -1392,6 +1433,10 @@
},
"type": "object"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Environment specific configuration for CPU and memory resources. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-3",
"properties": {
Expand Down Expand Up @@ -1638,6 +1683,13 @@
},
"skuName": {
"description": "SKU Type of Azure storage. More info: https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types",
"enum": [
"Standard_LRS",
"Premium_LRS",
"Standard_GRS",
"Standard_RAGRS",
""
],
"type": "string"
},
"streaming": {
Expand Down Expand Up @@ -1689,18 +1741,44 @@
"type": "boolean"
}
},
"required": [
"container"
],
"type": "object"
},
"container": {
"description": "Deprecated. Only required by the deprecated type: blob.",
"type": "string"
},
"emptyDir": {
"description": "EmptyDir settings for EmptyDir volume",
"properties": {
"sizeLimit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "SizeLimit defines the size of the emptyDir volume",
"pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$",
"x-kubernetes-int-or-string": true
}
},
"required": [
"sizeLimit"
],
"type": "object"
},
"gid": {
"description": "GID defines the group ID (number) which will be set as owner of the mounted volume. Deprecated, use BlobFuse2 or AzureFile instead.",
"type": "string"
},
"name": {
"description": "User-defined name of the volume mount. Must be unique for the component.",
"maxLength": 40,
"minLength": 1,
"type": "string"
},
Expand Down Expand Up @@ -1874,6 +1952,10 @@
],
"x-kubernetes-list-type": "map"
},
"readOnlyFileSystem": {
"description": "Controls if the filesystem shall be read-only.",
"type": "boolean"
},
"resources": {
"description": "Configures CPU and memory resources for the job. More info: https://www.radix.equinor.com/references/reference-radix-config/#resources-common-2",
"properties": {
Expand Down
3 changes: 2 additions & 1 deletion pkg/apis/batch/kubejob.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,14 +230,15 @@ func (s *syncer) getContainers(rd *radixv1.RadixDeployment, jobComponent *radixv
resources := s.getContainerResources(batchJob, jobComponent)

image := getJobImage(jobComponent, batchJob)
securityContext := securitycontext.Container(securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault), securitycontext.WithReadOnlyRootFileSystem(jobComponent.GetReadOnlyFileSystem()))
container := corev1.Container{
Name: jobComponent.Name,
Image: image,
ImagePullPolicy: corev1.PullAlways,
Env: environmentVariables,
Ports: ports,
VolumeMounts: volumeMounts,
SecurityContext: securitycontext.Container(securitycontext.WithContainerSeccompProfileType(corev1.SeccompProfileTypeRuntimeDefault)),
SecurityContext: securityContext,
Resources: resources,
}

Expand Down
Loading
Loading