From 9b3f318eaea7736394a4631f8d241cab7a92dcf9 Mon Sep 17 00:00:00 2001 From: Marcin Dobosz Date: Wed, 13 Dec 2023 13:59:04 +0100 Subject: [PATCH] [Issue #741] Fixes previous commit. fsGroup will now be assign to Agent STS and not App --- .../k8s/agents/AgentResourcesFactory.java | 28 ++++--------------- .../k8s/agents/AgentResourcesFactoryTest.java | 2 ++ 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java index 2aefaa906..0a7be1d39 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/main/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactory.java @@ -32,28 +32,7 @@ import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; -import io.fabric8.kubernetes.api.model.Container; -import io.fabric8.kubernetes.api.model.ContainerBuilder; -import io.fabric8.kubernetes.api.model.ContainerPort; -import io.fabric8.kubernetes.api.model.ContainerPortBuilder; -import io.fabric8.kubernetes.api.model.EnvVarBuilder; -import io.fabric8.kubernetes.api.model.ObjectMetaBuilder; -import io.fabric8.kubernetes.api.model.PersistentVolumeClaim; -import io.fabric8.kubernetes.api.model.PersistentVolumeClaimBuilder; -import io.fabric8.kubernetes.api.model.Pod; -import io.fabric8.kubernetes.api.model.Probe; -import io.fabric8.kubernetes.api.model.ProbeBuilder; -import io.fabric8.kubernetes.api.model.Quantity; -import io.fabric8.kubernetes.api.model.ResourceRequirements; -import io.fabric8.kubernetes.api.model.ResourceRequirementsBuilder; -import io.fabric8.kubernetes.api.model.Secret; -import io.fabric8.kubernetes.api.model.SecretBuilder; -import io.fabric8.kubernetes.api.model.Service; -import io.fabric8.kubernetes.api.model.ServiceBuilder; -import io.fabric8.kubernetes.api.model.ServicePortBuilder; -import io.fabric8.kubernetes.api.model.VolumeBuilder; -import io.fabric8.kubernetes.api.model.VolumeMount; -import io.fabric8.kubernetes.api.model.VolumeMountBuilder; +import io.fabric8.kubernetes.api.model.*; import io.fabric8.kubernetes.api.model.apps.StatefulSet; import io.fabric8.kubernetes.api.model.apps.StatefulSetBuilder; import io.fabric8.kubernetes.client.KubernetesClient; @@ -304,6 +283,7 @@ public static StatefulSet generateStatefulSet(GenerateStatefulsetParams params) .withTolerations(podTemplate != null ? podTemplate.tolerations() : null) .withNodeSelector(podTemplate != null ? podTemplate.nodeSelector() : null) .withTerminationGracePeriodSeconds(60L) + .withSecurityContext(getPodSecurityContext()) .withInitContainers( List.of( injectConfigForDownloadCodeInitContainer, @@ -464,6 +444,10 @@ private static Map getPodAnnotations(AgentSpec spec, PodTemplate return annotations; } + private static PodSecurityContext getPodSecurityContext() { + return new PodSecurityContextBuilder().withFsGroup(10_000L).build(); + } + private static String getStsImagePullPolicy(GenerateStatefulsetParams params) { final String imagePullPolicy = params.getImagePullPolicy(); final String containerImagePullPolicy = diff --git a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java index 927b65605..9c4d24775 100644 --- a/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java +++ b/langstream-k8s-deployer/langstream-k8s-deployer-core/src/test/java/ai/langstream/deployer/k8s/agents/AgentResourcesFactoryTest.java @@ -179,6 +179,8 @@ void testStatefulsetAndService() { name: download-config - mountPath: /app-code-download name: code-download + securityContext: + fsGroup: 10000 serviceAccountName: runtime-my-tenant terminationGracePeriodSeconds: 60 volumes: