Added: security context for enterprise apps

charts/clearml/README.md

@@ -198,17 +198,19 @@ Kubernetes: `>= 1.21.0-0 < 1.27.0-0`
 | clearml.testUserKey | string | `"ENP39EQM4SLACGD5FXB7"` | Test Server basic auth key |
 | clearml.testUserSecret | string | `"lPcm0imbcBZ8mwgO7tpadutiS3gnJD05x9j7afwXPS35IKbpiQ"` | Test File Server basic auth secret |
 | elasticsearch | object | `{"clusterHealthCheckParams":"wait_for_status=yellow&timeout=1s","clusterName":"clearml-elastic","enabled":true,"esConfig":{"elasticsearch.yml":"xpack.security.enabled: false\n"},"esJavaOpts":"-Xmx2g -Xms2g","extraEnvs":[{"name":"bootstrap.memory_lock","value":"false"},{"name":"cluster.routing.allocation.node_initial_primaries_recoveries","value":"500"},{"name":"cluster.routing.allocation.disk.watermark.low","value":"500mb"},{"name":"cluster.routing.allocation.disk.watermark.high","value":"500mb"},{"name":"cluster.routing.allocation.disk.watermark.flood_stage","value":"500mb"},{"name":"http.compression_level","value":"7"},{"name":"reindex.remote.whitelist","value":"*.*"},{"name":"xpack.monitoring.enabled","value":"false"},{"name":"xpack.security.enabled","value":"false"}],"httpPort":9200,"minimumMasterNodes":1,"persistence":{"enabled":true},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"4Gi"},"requests":{"cpu":"100m","memory":"2Gi"}},"roles":{"data":"true","ingest":"true","master":"true","remote_cluster_client":"true"},"volumeClaimTemplate":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"50Gi"}},"storageClassName":null}}` | Configuration from https://github.com/elastic/helm-charts/blob/7.16/elasticsearch/values.yaml |
-| enterpriseFeatures | object | `{"airGappedDocumentation":{"enabled":false,"image":{"repository":"","tag":"4"}},"apiserverImageTagOverride":"3.15.3-909","clearmlApplications":{"additionalClusterRoleBindings":[],"additionalRoleBindings":[],"affinity":{},"agentKey":"GK4PRTVT3706T25K6BA1","agentSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","basePodImage":{"repository":"","tag":"app-1.1.1-47"},"enabled":true,"extraEnvs":[],"fileMounts":[],"gitAgentPass":"git_password","gitAgentUser":"git_user","image":{"pullPolicy":"IfNotPresent","repository":"","tag":"1.24-58"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"tolerations":[]},"defaultCompanyGuid":"d1bd92a3b039400cbafc60a7a5b1e52b","enabled":false,"extraIndexUrl":"","fileserverImageTagOverride":"3.15.3-909","overrideReferenceApiUrl":"","overrideReferenceFileUrl":"","webserverImageTagOverride":"3.15.3-801"}` | Enterprise features (work only with an Enterprise license) |
+| enterpriseFeatures | object | `{"airGappedDocumentation":{"enabled":false,"image":{"repository":"","tag":"4"}},"apiserverImageTagOverride":"3.15.3-909","clearmlApplications":{"additionalClusterRoleBindings":[],"additionalRoleBindings":[],"affinity":{},"agentKey":"GK4PRTVT3706T25K6BA1","agentSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","basePodImage":{"repository":"","tag":"app-1.1.1-47"},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"fileMounts":[],"gitAgentPass":"git_password","gitAgentUser":"git_user","image":{"pullPolicy":"IfNotPresent","repository":"","tag":"1.24-58"},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"tolerations":[]},"defaultCompanyGuid":"d1bd92a3b039400cbafc60a7a5b1e52b","enabled":false,"extraIndexUrl":"","fileserverImageTagOverride":"3.15.3-909","overrideReferenceApiUrl":"","overrideReferenceFileUrl":"","webserverImageTagOverride":"3.15.3-801"}` | Enterprise features (work only with an Enterprise license) |
 | enterpriseFeatures.airGappedDocumentation | object | `{"enabled":false,"image":{"repository":"","tag":"4"}}` | Air gapped documentation  configurations |
 | enterpriseFeatures.airGappedDocumentation.enabled | bool | `false` | Enable/Disable air gapped documentation deployment |
 | enterpriseFeatures.airGappedDocumentation.image | object | `{"repository":"","tag":"4"}` | Air gapped documentation image configuration |
 | enterpriseFeatures.apiserverImageTagOverride | string | `"3.15.3-909"` | Image tag override for apiserver enterprise version |
-| enterpriseFeatures.clearmlApplications | object | `{"additionalClusterRoleBindings":[],"additionalRoleBindings":[],"affinity":{},"agentKey":"GK4PRTVT3706T25K6BA1","agentSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","basePodImage":{"repository":"","tag":"app-1.1.1-47"},"enabled":true,"extraEnvs":[],"fileMounts":[],"gitAgentPass":"git_password","gitAgentUser":"git_user","image":{"pullPolicy":"IfNotPresent","repository":"","tag":"1.24-58"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"tolerations":[]}` | APPS configurations |
+| enterpriseFeatures.clearmlApplications | object | `{"additionalClusterRoleBindings":[],"additionalRoleBindings":[],"affinity":{},"agentKey":"GK4PRTVT3706T25K6BA1","agentSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","basePodImage":{"repository":"","tag":"app-1.1.1-47"},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"fileMounts":[],"gitAgentPass":"git_password","gitAgentUser":"git_user","image":{"pullPolicy":"IfNotPresent","repository":"","tag":"1.24-58"},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"tolerations":[]}` | APPS configurations |
+| enterpriseFeatures.clearmlApplications.additionalClusterRoleBindings | list | `[]` | additional existing ClusterRoleBindings |
 | enterpriseFeatures.clearmlApplications.additionalRoleBindings | list | `[]` | additional existing RoleBindings |
 | enterpriseFeatures.clearmlApplications.affinity | object | `{}` | APPS affinity setup |
 | enterpriseFeatures.clearmlApplications.agentKey | string | `"GK4PRTVT3706T25K6BA1"` | Apps Server basic auth key |
 | enterpriseFeatures.clearmlApplications.agentSecret | string | `"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2"` | Apps Server basic auth secret |
 | enterpriseFeatures.clearmlApplications.basePodImage | object | `{"repository":"","tag":"app-1.1.1-47"}` | APPS base spawning pods image |
+| enterpriseFeatures.clearmlApplications.containerSecurityContext | object | `{}` | APPS containers security context |
 | enterpriseFeatures.clearmlApplications.enabled | bool | `true` | Enable/Disable component deployment |
 | enterpriseFeatures.clearmlApplications.extraEnvs | list | `[]` | APPS extra envrinoment variables |
 | enterpriseFeatures.clearmlApplications.fileMounts | list | `[]` | file definition |
@@ -217,6 +219,7 @@ Kubernetes: `>= 1.21.0-0 < 1.27.0-0`
 | enterpriseFeatures.clearmlApplications.image | object | `{"pullPolicy":"IfNotPresent","repository":"","tag":"1.24-58"}` | APPS image configuration |
 | enterpriseFeatures.clearmlApplications.nodeSelector | object | `{}` | APPS nodeselector |
 | enterpriseFeatures.clearmlApplications.podAnnotations | object | `{}` | specific annotation for APPS pods |
+| enterpriseFeatures.clearmlApplications.podSecurityContext | object | `{}` | APPS pod security context |
 | enterpriseFeatures.clearmlApplications.replicaCount | int | `1` | APPS number of pods |
 | enterpriseFeatures.clearmlApplications.resources | object | `{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | APPS resources per pod; these are minimal requirements, it's suggested to increase these values in production environments |
 | enterpriseFeatures.clearmlApplications.tolerations | list | `[]` | APPS tolerations setup |

charts/clearml/templates/apps-configmap.yaml

@@ -18,6 +18,8 @@ data:
         {{- end }}
         {{- end }}
         serviceAccountName: "clearml-apps-sa"
+        securityContext:
+          {{ toYaml .Values.enterpriseFeatures.clearmlApplications.podSecurityContext | nindent 10 }}
         volumes:
           {{- if .Values.enterpriseFeatures.clearmlApplications.fileMounts }}
           - name: filemounts
@@ -45,3 +47,5 @@ data:
           {{- if .Values.enterpriseFeatures.clearmlApplications.extraEnvs }}
           {{ toYaml .Values.enterpriseFeatures.clearmlApplications.extraEnvs | nindent 10 }}
           {{- end }}
+          securityContext:
+            {{ toYaml .Values.enterpriseFeatures.clearmlApplications.containerSecurityContext | nindent 12 }}

charts/clearml/templates/apps-deployment.yaml

@@ -43,6 +43,8 @@ spec:
             secretName: {{ include "clearml.name" . }}-apps-fm
       {{- end }}
       serviceAccountName: "clearml-apps-sa"
+      securityContext:
+        {{ toYaml .Values.enterpriseFeatures.clearmlApplications.podSecurityContext | nindent 8 }}
       initContainers:
         - name: init-apps
           image: "{{ .Values.enterpriseFeatures.clearmlApplications.image.repository }}:{{ .Values.enterpriseFeatures.clearmlApplications.image.tag | default .Chart.AppVersion }}"
@@ -55,6 +57,8 @@ spec:
                 echo "waiting for apiserver" ;
                 sleep 5 ;
               done
+          securityContext:
+            {{ toYaml .Values.enterpriseFeatures.clearmlApplications.containerSecurityContext | nindent 12 }}
       containers:
         - name: clearml-apps
           image: "{{ .Values.enterpriseFeatures.clearmlApplications.image.repository }}:{{ .Values.enterpriseFeatures.clearmlApplications.image.tag | default .Chart.AppVersion }}"
@@ -121,6 +125,8 @@ spec:
             subPath: "{{ .name }}"
             readOnly: true
           {{- end }}
+          securityContext:
+            {{ toYaml .Values.enterpriseFeatures.clearmlApplications.containerSecurityContext | nindent 12 }}
           resources:
             {{- toYaml .Values.enterpriseFeatures.clearmlApplications.resources | nindent 12 }}
       {{- with .Values.enterpriseFeatures.clearmlApplications.nodeSelector }}

charts/clearml/values.yaml

@@ -437,11 +437,16 @@ enterpriseFeatures:
     replicaCount: 1
     # -- APPS extra envrinoment variables
     extraEnvs: []
+    # -- additional existing ClusterRoleBindings
     additionalClusterRoleBindings: []
     # - privileged
     # -- additional existing RoleBindings
     additionalRoleBindings: []
     # - privileged
+    # -- APPS pod security context
+    podSecurityContext: {}
+    # -- APPS containers security context
+    containerSecurityContext: {}
     # -- file definition
     fileMounts: []
     # -- specific annotation for APPS pods