Skip to content

feat: Operator - support securityContext override at Pod level #5325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tchughesiv merged 1 commit into from
May 6, 2025
Merged

feat: Operator - support securityContext override at Pod level #5325

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infra/feast-operator/api/v1alpha1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,7 @@ type FeatureStoreServices struct {
// Creates a UI server container
UI *ServerConfigs `json:"ui,omitempty"`
DeploymentStrategy *appsv1.DeploymentStrategy `json:"deploymentStrategy,omitempty"`
SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
// Disable the 'feast repo initialization' initContainer
DisableInitContainers bool `json:"disableInitContainers,omitempty"`
// Volumes specifies the volumes to mount in the FeatureStore deployment. A corresponding `VolumeMount` should be added to whichever feast service(s) require access to said volume(s).
Expand Down
5 changes: 5 additions & 0 deletions infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

264 changes: 264 additions & 0 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2125,6 +2125,137 @@ spec:
x-kubernetes-validations:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c, c)'
securityContext:
description: PodSecurityContext holds pod-level security attributes
and common container settings.
properties:
appArmorProfile:
description: appArmorProfile is the AppArmor options to use
by the containers in this pod.
properties:
localhostProfile:
description: localhostProfile indicates a profile loaded
on the node that should be used.
type: string
type:
description: type indicates which kind of AppArmor profile
will be applied.
type: string
required:
- type
type: object
fsGroup:
description: A special supplemental group that applies to
all containers in a pod.
format: int64
type: integer
fsGroupChangePolicy:
description: |-
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
before being exposed inside Pod.
type: string
runAsGroup:
description: |-
The GID to run the entrypoint of the container process.
Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: |-
The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: |-
The seccomp options to use by the containers in this pod.
Note that this field cannot be set when spec.os.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp profile
will be applied.
type: string
required:
- type
type: object
supplementalGroups:
description: |-
A list of groups applied to the first process run in each container, in addition
to the container's primary GID, the fsG
items:
format: int64
type: integer
type: array
x-kubernetes-list-type: atomic
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
x-kubernetes-list-type: atomic
windowsOptions:
description: The Windows specific settings applied to all
containers.
properties:
gmsaCredentialSpec:
description: |-
GMSACredentialSpec is where the GMSA admission webhook
(https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
ui:
description: Creates a UI server container
properties:
Expand Down Expand Up @@ -5975,6 +6106,139 @@ spec:
- message: One selection required.
rule: '[has(self.local), has(self.remote)].exists_one(c,
c)'
securityContext:
description: PodSecurityContext holds pod-level security attributes
and common container settings.
properties:
appArmorProfile:
description: appArmorProfile is the AppArmor options to
use by the containers in this pod.
properties:
localhostProfile:
description: localhostProfile indicates a profile
loaded on the node that should be used.
type: string
type:
description: type indicates which kind of AppArmor
profile will be applied.
type: string
required:
- type
type: object
fsGroup:
description: A special supplemental group that applies
to all containers in a pod.
format: int64
type: integer
fsGroupChangePolicy:
description: |-
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
before being exposed inside Pod.
type: string
runAsGroup:
description: |-
The GID to run the entrypoint of the container process.
Uses runtime default if unset.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as
a non-root user.
type: boolean
runAsUser:
description: |-
The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all
containers.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: |-
The seccomp options to use by the containers in this pod.
Note that this field cannot be set when spec.os.
properties:
localhostProfile:
description: localhostProfile indicates a profile
defined in a file on the node should be used.
type: string
type:
description: type indicates which kind of seccomp
profile will be applied.
type: string
required:
- type
type: object
supplementalGroups:
description: |-
A list of groups applied to the first process run in each container, in addition
to the container's primary GID, the fsG
items:
format: int64
type: integer
type: array
x-kubernetes-list-type: atomic
sysctls:
description: Sysctls hold a list of namespaced sysctls
used for the pod.
items:
description: Sysctl defines a kernel parameter to be
set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
x-kubernetes-list-type: atomic
windowsOptions:
description: The Windows specific settings applied to
all containers.
properties:
gmsaCredentialSpec:
description: |-
GMSACredentialSpec is where the GMSA admission webhook
(https://github.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of
the GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container
should be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process.
type: string
type: object
type: object
ui:
description: Creates a UI server container
properties:
Expand Down
Loading
Loading