Add agent pod securitycontext (#143)

* Added: securityContext for agent * Changed: bump up version * Added: support for k8s 1.26
2025-02-25 13:22:21 +00:00 · 2023-01-31 09:16:25 +01:00 · 2023-01-31 09:16:25 +01:00 · 126f313cdf
commit 126f313cdf
parent 9aa1997ebd
4 changed files with 24 additions and 11 deletions
--- a/charts/clearml-agent/Chart.yaml
+++ b/charts/clearml-agent/Chart.yaml
@ -1,10 +1,10 @@
 apiVersion: v2
 name: clearml-agent
-description: MLOps platform
+description: MLOps platform Task running agent
 type: application
-version: "3.1.4"
+version: "3.2.0"
 appVersion: "1.24"
-kubeVersion: ">= 1.19.0-0 < 1.26.0-0"
+kubeVersion: ">= 1.21.0-0 < 1.27.0-0"
 home: https://clear.ml
 icon: https://raw.githubusercontent.com/allegroai/clearml/master/docs/clearml-logo.svg
 sources:
@ -17,3 +17,10 @@ keywords:
  - clearml
  - "machine learning"
  - mlops
+  - "task agent"
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: securityContext parameter for agent pod
+    - kind: added
+      description: support for kubernetes 1.26
--- a/charts/clearml-agent/README.md
+++ b/charts/clearml-agent/README.md
@ -1,8 +1,8 @@
 # ClearML Kubernetes Agent

-![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24](https://img.shields.io/badge/AppVersion-1.24-informational?style=flat-square)
+![Version: 3.2.0](https://img.shields.io/badge/Version-3.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24](https://img.shields.io/badge/AppVersion-1.24-informational?style=flat-square)

-MLOps platform
+MLOps platform Task running agent

 **Homepage:** <https://clear.ml>

@ -24,13 +24,13 @@ It allows you to schedule distributed experiments on a Kubernetes cluster.

 ## Requirements

-Kubernetes: `>= 1.19.0-0 < 1.26.0-0`
+Kubernetes: `>= 1.21.0-0 < 1.27.0-0`

 ## Values

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| agentk8sglue | object | `{"annotations":{},"apiServerUrlReference":"https://api.clear.ml","basePodTemplate":{"annotations":{},"env":[],"fileMounts":[],"hostAliases":{},"initContainers":[],"labels":{},"nodeSelector":{},"resources":{},"schedulerName":"","securityContext":{},"tolerations":[],"volumeMounts":[],"volumes":[]},"clearmlcheckCertificate":true,"containerCustomBashScript":"","customBashScript":"","debugMode":false,"defaultContainerImage":"ubuntu:18.04","extraEnvs":[],"fileMounts":[],"fileServerUrlReference":"https://files.clear.ml","image":{"repository":"allegroai/clearml-agent-k8s-base","tag":"1.24-21"},"labels":{},"nodeSelector":{},"queue":"default","replicaCount":1,"serviceExistingAccountName":"","volumeMounts":[],"volumes":[],"webServerUrlReference":"https://app.clear.ml"}` | This agent will spawn queued experiments in new pods, a good use case is to combine this with GPU autoscaling nodes. https://github.com/allegroai/clearml-agent/tree/master/docker/k8s-glue |
+| agentk8sglue | object | `{"annotations":{},"apiServerUrlReference":"https://api.clear.ml","basePodTemplate":{"annotations":{},"env":[],"fileMounts":[],"hostAliases":{},"initContainers":[],"labels":{},"nodeSelector":{},"resources":{},"schedulerName":"","securityContext":{},"tolerations":[],"volumeMounts":[],"volumes":[]},"clearmlcheckCertificate":true,"containerCustomBashScript":"","customBashScript":"","debugMode":false,"defaultContainerImage":"ubuntu:18.04","extraEnvs":[],"fileMounts":[],"fileServerUrlReference":"https://files.clear.ml","image":{"repository":"allegroai/clearml-agent-k8s-base","tag":"1.24-21"},"labels":{},"nodeSelector":{},"queue":"default","replicaCount":1,"securityContext":{},"serviceExistingAccountName":"","volumeMounts":[],"volumes":[],"webServerUrlReference":"https://app.clear.ml"}` | This agent will spawn queued experiments in new pods, a good use case is to combine this with GPU autoscaling nodes. https://github.com/allegroai/clearml-agent/tree/master/docker/k8s-glue |
 | agentk8sglue.annotations | object | `{}` | annotations setup for Agent pod (example in values.yaml comments) |
 | agentk8sglue.apiServerUrlReference | string | `"https://api.clear.ml"` | Reference to Api server url |
 | agentk8sglue.basePodTemplate | object | `{"annotations":{},"env":[],"fileMounts":[],"hostAliases":{},"initContainers":[],"labels":{},"nodeSelector":{},"resources":{},"schedulerName":"","securityContext":{},"tolerations":[],"volumeMounts":[],"volumes":[]}` | base template for pods spawned to consume ClearML Task |
@ -59,6 +59,7 @@ Kubernetes: `>= 1.19.0-0 < 1.26.0-0`
 | agentk8sglue.nodeSelector | object | `{}` | nodeSelector setup for Agent pod (example in values.yaml comments) |
 | agentk8sglue.queue | string | `"default"` | ClearML queue this agent will consume |
 | agentk8sglue.replicaCount | int | `1` | Glue Agent number of pods |
+| agentk8sglue.securityContext | object | `{}` | Web Server pod security context |
 | agentk8sglue.serviceExistingAccountName | string | `""` | if set, don't create a serviceAccountName but use defined existing one |
 | agentk8sglue.volumeMounts | list | `[]` | volume mounts definition for Glue Agent (example in values.yaml comments) |
 | agentk8sglue.volumes | list | `[]` | volumes definition for Glue Agent (example in values.yaml comments) |
--- a/charts/clearml-agent/templates/agentk8sglue-deployment.yaml
+++ b/charts/clearml-agent/templates/agentk8sglue-deployment.yaml
@ -28,6 +28,7 @@ spec:
      {{- end }}
      {{- end }}
      serviceAccountName: {{ include "clearml.serviceAccountName" . }}
+      securityContext: {{ toYaml .Values.agentk8sglue.securityContext | nindent 8 }}
      initContainers:
      - name: init-k8s-glue
        {{- if .Values.enterpriseFeatures.enabled }}
--- a/charts/clearml-agent/values.yaml
+++ b/charts/clearml-agent/values.yaml
@ -75,7 +75,10 @@ agentk8sglue:
  extraEnvs: []
    # - name: PYTHONPATH
    #   value: "somepath"
-
+    # -- Web Server pod security context
+  securityContext: {}
+    #  runAsUser: 1001
+    #  fsGroup: 1001
  # -- nodeSelector setup for Agent pod (example in values.yaml comments)
  nodeSelector: {}
    # fleet: agent-nodes
@ -169,7 +172,8 @@ agentk8sglue:
      # fleet: gpu-nodes
    # -- securityContext setup for pods spawned to consume ClearML Task (example in values.yaml comments)
    securityContext: {}
-      # runAsUser: 1000
+      #  runAsUser: 1001
+      #  fsGroup: 1001
    # -- hostAliases setup for pods spawned to consume ClearML Task (example in values.yaml comments)
    hostAliases: {}
    # - ip: "127.0.0.1"