-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Allow configuration of pod's security context for DevWorkspaces on Kubernetes #748
feat: Allow configuration of pod's security context for DevWorkspaces on Kubernetes #748
Conversation
In some Kubernetes clusters, fsGroup needs to be set in order for workspace containers to read contents of mounted PVCs. This change matches the fsGroup with the runAsUser field. Note this is the security context that is used in Eclipse Che as well. Only applies to Kubernetes; behavior in OpenShift is unchanged. Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Add PodSecurityContext to DevWorkspaceOperatorConfig to allow configuring PodSecurityContext when running on Kubernetes. Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Thanks! I haven't used this before, but that could speed up things if projects contain a lot of npm dependencies. What do you think? See: https://kubernetes.io/blog/2020/12/14/kubernetes-release-1.20-fsgroupchangepolicy-fsgrouppolicy/ |
@nils-mosbach Thanks for that link, I wasn't aware of this change! This is something I believe might solve a longterm complaint about workspace startup time for us (and Eclipse Che), as our use cases (especially with npm projects ;)) generally involve many files in the PVC. The DevWorkspace Operator depends on the Kubernetes 1.21.3 API, which means that this PR implicitly supports setting apiVersion: controller.devfile.io/v1alpha1
kind: DevWorkspaceOperatorConfig
metadata:
name: devworkspace-operator-config
config:
workspace:
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
# Other fields need to be set too The impact of this on DevWorkspace startup time could be tested using the |
/test v8-devworkspace-operator-e2e |
1 similar comment
/test v8-devworkspace-operator-e2e |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, ibuziuk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Great, thanks a lot! I'll give it at go as soon as we manage to get devworkspaces running under Kubernetes. A version that I patched myself seemed to resolve the issue. |
I'm glad to hear it 😄 |
What does this PR do?
Adds field
podSecurityContext
to theDevWorkspaceOperatorConfig
CR to allow overriding securityContext in all workspace-related pods when running on Kubernetes.Also sets a default
fsGroup = 1234
to avoid issues on some k8s clusters (see: eclipse-che/che#20965). Note that this is what is done in Eclipse Che as well as far as I can tell so should not cause issues.Configuration value is ignored on OpenShift.
What issues does this PR fix or reference?
Closes #718
Related: eclipse-che/che#20965
Related: eclipse-che/che#20963
Is it tested? How?
fsGroup=1234
.config.workspace.podSecurityContext
in thedevworkspace-operator-config
DevWorkspaceOperatorConfig
and make sure change is propagated to DevWorkspaces (may need to trigger a reconcile for running workspaces)PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che