Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[agent] Add support for running unprivileged #46

Merged
merged 39 commits into from
Sep 21, 2022
Merged

[agent] Add support for running unprivileged #46

Show file tree
Hide file tree
Changes from 37 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
c41591e
initial
jamiezieziula Sep 19, 2022
6403248
adding rbac
jamiezieziula Sep 19, 2022
df08aab
Merge branch 'main' of github.com:PrefectHQ/prefect-helm into chart-o…
jamiezieziula Sep 19, 2022
403c64a
added q & removed unneeded values
jamiezieziula Sep 19, 2022
ba8c5fb
additional resources
jamiezieziula Sep 19, 2022
9836318
rename
jamiezieziula Sep 19, 2022
edf9a58
update workspace var
jamiezieziula Sep 19, 2022
bc8c872
test extra arg
jamiezieziula Sep 19, 2022
124104f
testing @param
jamiezieziula Sep 19, 2022
4f0587c
added descriptions
jamiezieziula Sep 19, 2022
8be56a7
remove unneeded comment
jamiezieziula Sep 19, 2022
ebecd9a
testing lint workflow
jamiezieziula Sep 19, 2022
23624f7
test with real key
jamiezieziula Sep 19, 2022
b909139
undu helper
jamiezieziula Sep 19, 2022
b8c0024
add namespace to secret creation
jamiezieziula Sep 19, 2022
7683822
passing ns arguement
jamiezieziula Sep 19, 2022
0538a78
update ns & remove default value
jamiezieziula Sep 19, 2022
bbc2827
introduce better logic for api url determination
jamiezieziula Sep 19, 2022
aae1888
different ns
jamiezieziula Sep 19, 2022
66f794d
minor adjustments
jamiezieziula Sep 19, 2022
52194d6
switching order within action
jamiezieziula Sep 19, 2022
40d02ec
testing different qorkqueue name
jamiezieziula Sep 19, 2022
13af691
testing inline
jamiezieziula Sep 19, 2022
fbe5e12
cli flag
jamiezieziula Sep 19, 2022
ed15531
updating wq name
jamiezieziula Sep 19, 2022
4312f44
fix pathing
jamiezieziula Sep 19, 2022
90ab3f7
other values
jamiezieziula Sep 19, 2022
b58fe85
testing specific linter
jamiezieziula Sep 19, 2022
b816b64
release label config
jamiezieziula Sep 19, 2022
109f4d2
remove if for kind cluster
jamiezieziula Sep 19, 2022
41f4d06
adding orion test
jamiezieziula Sep 19, 2022
e7a3d55
rmeove duplicate quote
jamiezieziula Sep 19, 2022
1d29ad5
removing containersecurity & adding default name
jamiezieziula Sep 19, 2022
cc37a8c
Add support for running unprivileged
jawnsy Sep 20, 2022
fe59e5c
make volumes a list
jawnsy Sep 20, 2022
8eb448e
add prefect home var
jawnsy Sep 20, 2022
babd40b
merge from main
jamiezieziula Sep 21, 2022
9ef3016
add container security context
jawnsy Sep 21, 2022
b692cd4
update readme
jawnsy Sep 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions charts/prefect-agent/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ Prefect Agent application bundle
| agent.config.apiUrl | string | `"https://api.prefect.cloud"` | prefect API url |
| agent.config.workQueueName | string | `""` | prefect workqueue name |
| agent.config.workspaceId | string | `""` | prefect workspace ID |
| agent.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | set agent containers' security context allowPrivilegeEscalation |
| agent.containerSecurityContext.enabled | bool | `true` | enabled agent containers' security context |
| agent.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | set agent containers' security context readOnlyRootFilesystem |
| agent.containerSecurityContext.runAsNonRoot | bool | `true` | set agent containers' security context runAsNonRoot |
| agent.containerSecurityContext.runAsUser | int | `1001` | set agent containers' security context runAsUser |
| agent.extraEnvVars | list | `[]` | array with extra environment variables to add to agent nodes |
| agent.extraEnvVarsCM | string | `""` | name of existing ConfigMap containing extra env vars to add to agent nodes |
| agent.extraEnvVarsSecret | string | `""` | name of existing Secret containing extra env vars to add to agent nodes |
Expand All @@ -47,6 +52,8 @@ Prefect Agent application bundle
| agent.podLabels | object | `{}` | extra labels for agent pod |
| agent.podSecurityContext.enabled | bool | `true` | enabled agent pods' security context |
| agent.podSecurityContext.fsGroup | int | `1001` | set agent pod's security context fsGroup |
| agent.podSecurityContext.runAsNonRoot | bool | `true` | set agent pod's security context runAsNonRoot |
| agent.podSecurityContext.runAsUser | int | `1001` | set agent pod's security context runAsUser |
| agent.replicaCount | int | `1` | number of agent replicas to deploy |
| agent.resources.limits | object | `{}` | the requested limits for the agent container |
| agent.resources.requests | object | `{}` | the requested resources for the agent container |
Expand Down
12 changes: 10 additions & 2 deletions charts/prefect-agent/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,17 @@ spec:
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
command: ["prefect", "agent", "start", "-q", {{ .Values.agent.config.workQueueName }}]
env:
- name: PREFECT_DEBUG_MODE
value: {{ .Values.agent.image.debug | quote }}
- name: PREFECT_API_URL
value: {{ template "agent.apiUrl" . }}
- name: PREFECT_API_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.agent.config.apiKeySecret.name }}
key: {{ .Values.agent.config.apiKeySecret.key }}
- name: PREFECT_DEBUG_MODE
value: {{ .Values.agent.image.debug | quote }}
- name: PREFECT_HOME
value: /opt/prefect
{{- if .Values.agent.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -76,3 +78,9 @@ spec:
{{- if .Values.agent.resources }}
resources: {{- toYaml .Values.agent.resources | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /opt/prefect/.prefect
name: agent-home
volumes:
- name: agent-home
emptyDir: {}
17 changes: 17 additions & 0 deletions charts/prefect-agent/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,26 @@ agent:
podSecurityContext:
# -- enabled agent pods' security context
enabled: true
# -- set agent pod's security context runAsUser
runAsUser: 1001
# -- set agent pod's security context runAsNonRoot
runAsNonRoot: true
# -- set agent pod's security context fsGroup
fsGroup: 1001

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext:
# -- enabled agent containers' security context
enabled: true
# -- set agent containers' security context runAsUser
runAsUser: 1001
# -- set agent containers' security context runAsNonRoot
runAsNonRoot: true
# -- set agent containers' security context readOnlyRootFilesystem
readOnlyRootFilesystem: true
# -- set agent containers' security context allowPrivilegeEscalation
allowPrivilegeEscalation: false

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
# -- extra labels for agent pod
podLabels: {}
Expand Down