From 15f1a8f611bf41f5f374ba510c832493a3519041 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 23 Oct 2024 19:45:31 -0500 Subject: [PATCH 01/19] create a tmp dir for the controller to write Spark artifacts to and set the controller to readOnlyRootFilesystem Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/values.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 9032087c6..9400ab03e 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -105,7 +105,11 @@ controller: # key2: value2 # -- Volumes for controller pods. - volumes: [] + volumes: + # -- Create a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + emptyDir: + sizeLimit: 1Gi # -- Node selector for controller pods. nodeSelector: {} @@ -141,7 +145,11 @@ controller: envFrom: [] # -- Volume mounts for controller containers. - volumeMounts: [] + volumeMounts: + # -- Mount a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + mountPath: "/tmp" + readOnly: false # -- Pod resource requests and limits for controller containers. # Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". @@ -157,6 +165,7 @@ controller: # -- Security context for controller containers. securityContext: + readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false runAsNonRoot: true From 967b421a2e8664b72f6bb247e740db095713e31c Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 23 Oct 2024 19:51:20 -0500 Subject: [PATCH 02/19] mount a dir for the webhook container to generate its certificates in and set readOnlyRootFilesystem: true for the webhook pod Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/values.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 9400ab03e..3e4971639 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -261,7 +261,11 @@ webhook: sidecars: [] # -- Volumes for webhook pods. - volumes: [] + volumes: + # -- Create a dir for the webhook to generate its certificates in. + - name: serving-certs + emptyDir: + sizeLimit: 500Mi # -- Node selector for webhook pods. nodeSelector: {} @@ -297,7 +301,13 @@ webhook: envFrom: [] # -- Volume mounts for webhook containers. - volumeMounts: [] + volumeMounts: + # -- Mount a dir for the webhook to generate its certificates in. + - name: serving-certs + mountPath: /etc/k8s-webhook-server/serving-certs + subPath: serving-certs + readOnly: false + # -- Pod resource requests and limits for webhook pods. resources: {} @@ -310,6 +320,7 @@ webhook: # -- Security context for webhook containers. securityContext: + readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false runAsNonRoot: true From 1079ff6ffb3e827b31628a3a536e68b1f4df6e02 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 23 Oct 2024 20:02:02 -0500 Subject: [PATCH 03/19] update the securityContext in the controller deployment test Signed-off-by: Nick Gretzon --- .../spark-operator-chart/tests/controller/deployment_test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/spark-operator-chart/tests/controller/deployment_test.yaml b/charts/spark-operator-chart/tests/controller/deployment_test.yaml index 67c475da4..3606142ac 100644 --- a/charts/spark-operator-chart/tests/controller/deployment_test.yaml +++ b/charts/spark-operator-chart/tests/controller/deployment_test.yaml @@ -355,6 +355,7 @@ tests: set: controller: securityContext: + readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 @@ -362,6 +363,7 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext value: + readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 From 1baa17e4071edd02fd1fcac95f43553f7c3480d5 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 23 Oct 2024 20:04:26 -0500 Subject: [PATCH 04/19] update securityContext of the webhook container in the deployment_test Signed-off-by: Nick Gretzon --- .../spark-operator-chart/tests/webhook/deployment_test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/spark-operator-chart/tests/webhook/deployment_test.yaml b/charts/spark-operator-chart/tests/webhook/deployment_test.yaml index bf6bc03c8..7715cb240 100644 --- a/charts/spark-operator-chart/tests/webhook/deployment_test.yaml +++ b/charts/spark-operator-chart/tests/webhook/deployment_test.yaml @@ -299,10 +299,14 @@ tests: set: webhook: securityContext: + readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true - equal: path: spec.template.spec.containers[0].securityContext.runAsUser value: 1000 From c88c36f61cdb6f417c92d6722598d638ff19e164 Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Fri, 25 Oct 2024 18:28:24 -0500 Subject: [PATCH 05/19] update README Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/README.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/charts/spark-operator-chart/README.md b/charts/spark-operator-chart/README.md index c0e683b75..4a9f000b3 100644 --- a/charts/spark-operator-chart/README.md +++ b/charts/spark-operator-chart/README.md @@ -101,7 +101,8 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | controller.rbac.annotations | object | `{}` | Extra annotations for the controller RBAC resources. | | controller.labels | object | `{}` | Extra labels for controller pods. | | controller.annotations | object | `{}` | Extra annotations for controller pods. | -| controller.volumes | list | `[]` | Volumes for controller pods. | +| controller.volumes | list | `[{"emptyDir":{"sizeLimit":"1Gi"},"name":"tmp"}]` | Volumes for controller pods. | +| controller.volumes[0] | object | `{"emptyDir":{"sizeLimit":"1Gi"},"name":"tmp"}` | Create a tmp directory to write Spark artifacts to for deployed Spark apps. | | controller.nodeSelector | object | `{}` | Node selector for controller pods. | | controller.affinity | object | `{}` | Affinity for controller pods. | | controller.tolerations | list | `[]` | List of node taints to tolerate for controller pods. | @@ -110,9 +111,10 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref: [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). The labelSelector field in topology spread constraint will be set to the selector labels for controller pods if not specified. | | controller.env | list | `[]` | Environment variables for controller containers. | | controller.envFrom | list | `[]` | Environment variable sources for controller containers. | -| controller.volumeMounts | list | `[]` | Volume mounts for controller containers. | +| controller.volumeMounts | list | `[{"mountPath":"/tmp","name":"tmp","readOnly":false}]` | Volume mounts for controller containers. | +| controller.volumeMounts[0] | object | `{"mountPath":"/tmp","name":"tmp","readOnly":false}` | Mount a tmp directory to write Spark artifacts to for deployed Spark apps. | | controller.resources | object | `{}` | Pod resource requests and limits for controller containers. Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". Kubernetes may kill these Java processes at will to enforce resource limits. When that happens, you will see the following error: 'failed to run spark-submit for SparkApplication [...]: signal: killed' - when this happens, you may want to increase memory limits. | -| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsNonRoot":true}` | Security context for controller containers. | +| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Security context for controller containers. | | controller.sidecars | list | `[]` | Sidecar containers for controller pods. | | controller.podDisruptionBudget.enable | bool | `false` | Specifies whether to create pod disruption budget for controller. Ref: [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | | controller.podDisruptionBudget.minAvailable | int | `1` | The number of pods that must be available. Require `controller.replicas` to be greater than 1 | @@ -139,7 +141,8 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | webhook.labels | object | `{}` | Extra labels for webhook pods. | | webhook.annotations | object | `{}` | Extra annotations for webhook pods. | | webhook.sidecars | list | `[]` | Sidecar containers for webhook pods. | -| webhook.volumes | list | `[]` | Volumes for webhook pods. | +| webhook.volumes | list | `[{"emptyDir":{"sizeLimit":"500Mi"},"name":"serving-certs"}]` | Volumes for webhook pods. | +| webhook.volumes[0] | object | `{"emptyDir":{"sizeLimit":"500Mi"},"name":"serving-certs"}` | Create a dir for the webhook to generate its certificates in. | | webhook.nodeSelector | object | `{}` | Node selector for webhook pods. | | webhook.affinity | object | `{}` | Affinity for webhook pods. | | webhook.tolerations | list | `[]` | List of node taints to tolerate for webhook pods. | @@ -148,9 +151,10 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | webhook.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref: [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). The labelSelector field in topology spread constraint will be set to the selector labels for webhook pods if not specified. | | webhook.env | list | `[]` | Environment variables for webhook containers. | | webhook.envFrom | list | `[]` | Environment variable sources for webhook containers. | -| webhook.volumeMounts | list | `[]` | Volume mounts for webhook containers. | +| webhook.volumeMounts | list | `[{"mountPath":"/etc/k8s-webhook-server/serving-certs","name":"serving-certs","readOnly":false,"subPath":"serving-certs"}]` | Volume mounts for webhook containers. | +| webhook.volumeMounts[0] | object | `{"mountPath":"/etc/k8s-webhook-server/serving-certs","name":"serving-certs","readOnly":false,"subPath":"serving-certs"}` | Mount a dir for the webhook to generate its certificates in. | | webhook.resources | object | `{}` | Pod resource requests and limits for webhook pods. | -| webhook.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsNonRoot":true}` | Security context for webhook containers. | +| webhook.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Security context for webhook containers. | | webhook.podDisruptionBudget.enable | bool | `false` | Specifies whether to create pod disruption budget for webhook. Ref: [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | | webhook.podDisruptionBudget.minAvailable | int | `1` | The number of pods that must be available. Require `webhook.replicas` to be greater than 1 | | spark.jobNamespaces | list | `["default"]` | List of namespaces where to run spark jobs. If empty string is included, all namespaces will be allowed. Make sure the namespaces have already existed. | From 7d5c361765a47895874008d8c3740a0d884cc8d9 Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Mon, 4 Nov 2024 20:48:39 -0600 Subject: [PATCH 06/19] remove -- so comments are not rendered in the README.md Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 3e4971639..20687fff0 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -106,7 +106,7 @@ controller: # -- Volumes for controller pods. volumes: - # -- Create a tmp directory to write Spark artifacts to for deployed Spark apps. + # Create a tmp directory to write Spark artifacts to for deployed Spark apps. - name: tmp emptyDir: sizeLimit: 1Gi @@ -146,7 +146,7 @@ controller: # -- Volume mounts for controller containers. volumeMounts: - # -- Mount a tmp directory to write Spark artifacts to for deployed Spark apps. + # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. - name: tmp mountPath: "/tmp" readOnly: false @@ -262,7 +262,7 @@ webhook: # -- Volumes for webhook pods. volumes: - # -- Create a dir for the webhook to generate its certificates in. + # Create a dir for the webhook to generate its certificates in. - name: serving-certs emptyDir: sizeLimit: 500Mi @@ -302,7 +302,7 @@ webhook: # -- Volume mounts for webhook containers. volumeMounts: - # -- Mount a dir for the webhook to generate its certificates in. + # Mount a dir for the webhook to generate its certificates in. - name: serving-certs mountPath: /etc/k8s-webhook-server/serving-certs subPath: serving-certs From 9df82954f200cffc2229bf77b4683cf2609d90a2 Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Mon, 4 Nov 2024 20:53:15 -0600 Subject: [PATCH 07/19] recreate README.md after removal of comments for volumes and volumeMounts Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/spark-operator-chart/README.md b/charts/spark-operator-chart/README.md index 4a9f000b3..709dcc71e 100644 --- a/charts/spark-operator-chart/README.md +++ b/charts/spark-operator-chart/README.md @@ -102,7 +102,6 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | controller.labels | object | `{}` | Extra labels for controller pods. | | controller.annotations | object | `{}` | Extra annotations for controller pods. | | controller.volumes | list | `[{"emptyDir":{"sizeLimit":"1Gi"},"name":"tmp"}]` | Volumes for controller pods. | -| controller.volumes[0] | object | `{"emptyDir":{"sizeLimit":"1Gi"},"name":"tmp"}` | Create a tmp directory to write Spark artifacts to for deployed Spark apps. | | controller.nodeSelector | object | `{}` | Node selector for controller pods. | | controller.affinity | object | `{}` | Affinity for controller pods. | | controller.tolerations | list | `[]` | List of node taints to tolerate for controller pods. | @@ -112,7 +111,6 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | controller.env | list | `[]` | Environment variables for controller containers. | | controller.envFrom | list | `[]` | Environment variable sources for controller containers. | | controller.volumeMounts | list | `[{"mountPath":"/tmp","name":"tmp","readOnly":false}]` | Volume mounts for controller containers. | -| controller.volumeMounts[0] | object | `{"mountPath":"/tmp","name":"tmp","readOnly":false}` | Mount a tmp directory to write Spark artifacts to for deployed Spark apps. | | controller.resources | object | `{}` | Pod resource requests and limits for controller containers. Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". Kubernetes may kill these Java processes at will to enforce resource limits. When that happens, you will see the following error: 'failed to run spark-submit for SparkApplication [...]: signal: killed' - when this happens, you may want to increase memory limits. | | controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Security context for controller containers. | | controller.sidecars | list | `[]` | Sidecar containers for controller pods. | @@ -142,7 +140,6 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | webhook.annotations | object | `{}` | Extra annotations for webhook pods. | | webhook.sidecars | list | `[]` | Sidecar containers for webhook pods. | | webhook.volumes | list | `[{"emptyDir":{"sizeLimit":"500Mi"},"name":"serving-certs"}]` | Volumes for webhook pods. | -| webhook.volumes[0] | object | `{"emptyDir":{"sizeLimit":"500Mi"},"name":"serving-certs"}` | Create a dir for the webhook to generate its certificates in. | | webhook.nodeSelector | object | `{}` | Node selector for webhook pods. | | webhook.affinity | object | `{}` | Affinity for webhook pods. | | webhook.tolerations | list | `[]` | List of node taints to tolerate for webhook pods. | @@ -152,7 +149,6 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | webhook.env | list | `[]` | Environment variables for webhook containers. | | webhook.envFrom | list | `[]` | Environment variable sources for webhook containers. | | webhook.volumeMounts | list | `[{"mountPath":"/etc/k8s-webhook-server/serving-certs","name":"serving-certs","readOnly":false,"subPath":"serving-certs"}]` | Volume mounts for webhook containers. | -| webhook.volumeMounts[0] | object | `{"mountPath":"/etc/k8s-webhook-server/serving-certs","name":"serving-certs","readOnly":false,"subPath":"serving-certs"}` | Mount a dir for the webhook to generate its certificates in. | | webhook.resources | object | `{}` | Pod resource requests and limits for webhook pods. | | webhook.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Security context for webhook containers. | | webhook.podDisruptionBudget.enable | bool | `false` | Specifies whether to create pod disruption budget for webhook. Ref: [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) | From cc3fab353398e2e63ad4bfff116836b6fdc1c11f Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Wed, 6 Nov 2024 14:53:04 -0600 Subject: [PATCH 08/19] make indentation for volumes and volumeMounts consistent with rest of values.yaml Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/values.yaml | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 20687fff0..6b33fb23e 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -106,10 +106,10 @@ controller: # -- Volumes for controller pods. volumes: - # Create a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - emptyDir: - sizeLimit: 1Gi + # Create a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + emptyDir: + sizeLimit: 1Gi # -- Node selector for controller pods. nodeSelector: {} @@ -146,10 +146,10 @@ controller: # -- Volume mounts for controller containers. volumeMounts: - # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - mountPath: "/tmp" - readOnly: false + # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + mountPath: "/tmp" + readOnly: false # -- Pod resource requests and limits for controller containers. # Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". @@ -262,10 +262,10 @@ webhook: # -- Volumes for webhook pods. volumes: - # Create a dir for the webhook to generate its certificates in. - - name: serving-certs - emptyDir: - sizeLimit: 500Mi + # Create a dir for the webhook to generate its certificates in. + - name: serving-certs + emptyDir: + sizeLimit: 500Mi # -- Node selector for webhook pods. nodeSelector: {} @@ -302,11 +302,11 @@ webhook: # -- Volume mounts for webhook containers. volumeMounts: - # Mount a dir for the webhook to generate its certificates in. - - name: serving-certs - mountPath: /etc/k8s-webhook-server/serving-certs - subPath: serving-certs - readOnly: false + # Mount a dir for the webhook to generate its certificates in. + - name: serving-certs + mountPath: /etc/k8s-webhook-server/serving-certs + subPath: serving-certs + readOnly: false # -- Pod resource requests and limits for webhook pods. From 47dd461edfe51fff941401651f4cab9430ae13fe Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Wed, 6 Nov 2024 14:57:06 -0600 Subject: [PATCH 09/19] Revert "make indentation for volumes and volumeMounts consistent with rest of values.yaml" This reverts commit dba97fc3d9458e5addfff79d021d23b30938cbb9. Signed-off-by: Nick Gretzon --- charts/spark-operator-chart/values.yaml | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 6b33fb23e..20687fff0 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -106,10 +106,10 @@ controller: # -- Volumes for controller pods. volumes: - # Create a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - emptyDir: - sizeLimit: 1Gi + # Create a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + emptyDir: + sizeLimit: 1Gi # -- Node selector for controller pods. nodeSelector: {} @@ -146,10 +146,10 @@ controller: # -- Volume mounts for controller containers. volumeMounts: - # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - mountPath: "/tmp" - readOnly: false + # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + mountPath: "/tmp" + readOnly: false # -- Pod resource requests and limits for controller containers. # Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". @@ -262,10 +262,10 @@ webhook: # -- Volumes for webhook pods. volumes: - # Create a dir for the webhook to generate its certificates in. - - name: serving-certs - emptyDir: - sizeLimit: 500Mi + # Create a dir for the webhook to generate its certificates in. + - name: serving-certs + emptyDir: + sizeLimit: 500Mi # -- Node selector for webhook pods. nodeSelector: {} @@ -302,11 +302,11 @@ webhook: # -- Volume mounts for webhook containers. volumeMounts: - # Mount a dir for the webhook to generate its certificates in. - - name: serving-certs - mountPath: /etc/k8s-webhook-server/serving-certs - subPath: serving-certs - readOnly: false + # Mount a dir for the webhook to generate its certificates in. + - name: serving-certs + mountPath: /etc/k8s-webhook-server/serving-certs + subPath: serving-certs + readOnly: false # -- Pod resource requests and limits for webhook pods. From 247caf3c490a6368c8fa7478980cc21deb1e038b Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Wed, 6 Nov 2024 15:09:38 -0600 Subject: [PATCH 10/19] fix indentation in webhook and controller deployment templates for volumes and volumeMounts Signed-off-by: Nick Gretzon --- .../spark-operator-chart/templates/controller/deployment.yaml | 4 ++-- charts/spark-operator-chart/templates/webhook/deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spark-operator-chart/templates/controller/deployment.yaml b/charts/spark-operator-chart/templates/controller/deployment.yaml index 2a1fd5f19..5ec995d5b 100644 --- a/charts/spark-operator-chart/templates/controller/deployment.yaml +++ b/charts/spark-operator-chart/templates/controller/deployment.yaml @@ -124,7 +124,7 @@ spec: {{- end }} {{- with .Values.controller.volumeMounts }} volumeMounts: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.controller.resources }} resources: @@ -153,7 +153,7 @@ spec: {{- end }} {{- with .Values.controller.volumes }} volumes: - {{- toYaml . | nindent 6 }} + {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.controller.nodeSelector }} nodeSelector: diff --git a/charts/spark-operator-chart/templates/webhook/deployment.yaml b/charts/spark-operator-chart/templates/webhook/deployment.yaml index ae5167a6e..ff78f33c0 100644 --- a/charts/spark-operator-chart/templates/webhook/deployment.yaml +++ b/charts/spark-operator-chart/templates/webhook/deployment.yaml @@ -94,7 +94,7 @@ spec: {{- end }} {{- with .Values.webhook.volumeMounts }} volumeMounts: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.webhook.resources }} resources: @@ -123,7 +123,7 @@ spec: {{- end }} {{- with .Values.webhook.volumes }} volumes: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.webhook.nodeSelector }} nodeSelector: From 2d6d60e5391269ed226ac847f28f6f61f4fcad29 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:14:35 -0600 Subject: [PATCH 11/19] Update charts/spark-operator-chart/values.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 20687fff0..8206c747b 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -106,10 +106,10 @@ controller: # -- Volumes for controller pods. volumes: - # Create a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - emptyDir: - sizeLimit: 1Gi + # Create a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + emptyDir: + sizeLimit: 1Gi # -- Node selector for controller pods. nodeSelector: {} From 2d8c6bab2e7099f7b0d1dee84e7e8696be1c5a0b Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:14:50 -0600 Subject: [PATCH 12/19] Update charts/spark-operator-chart/values.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 8206c747b..05c66bfd3 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -146,10 +146,10 @@ controller: # -- Volume mounts for controller containers. volumeMounts: - # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. - - name: tmp - mountPath: "/tmp" - readOnly: false + # Mount a tmp directory to write Spark artifacts to for deployed Spark apps. + - name: tmp + mountPath: "/tmp" + readOnly: false # -- Pod resource requests and limits for controller containers. # Note, that each job submission will spawn a JVM within the controller pods using "/usr/local/openjdk-11/bin/java -Xmx128m". From 6691cba7b7d7813b5f3938db894cb4eaddc4ac8b Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:15:05 -0600 Subject: [PATCH 13/19] Update charts/spark-operator-chart/values.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 05c66bfd3..7f8c1435b 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -302,11 +302,11 @@ webhook: # -- Volume mounts for webhook containers. volumeMounts: - # Mount a dir for the webhook to generate its certificates in. - - name: serving-certs - mountPath: /etc/k8s-webhook-server/serving-certs - subPath: serving-certs - readOnly: false + # Mount a dir for the webhook to generate its certificates in. + - name: serving-certs + mountPath: /etc/k8s-webhook-server/serving-certs + subPath: serving-certs + readOnly: false # -- Pod resource requests and limits for webhook pods. From 322714bdac4b865d640bb7b76dbd0528e7aaf01d Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:15:21 -0600 Subject: [PATCH 14/19] Update charts/spark-operator-chart/values.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 7f8c1435b..6b33fb23e 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -262,10 +262,10 @@ webhook: # -- Volumes for webhook pods. volumes: - # Create a dir for the webhook to generate its certificates in. - - name: serving-certs - emptyDir: - sizeLimit: 500Mi + # Create a dir for the webhook to generate its certificates in. + - name: serving-certs + emptyDir: + sizeLimit: 500Mi # -- Node selector for webhook pods. nodeSelector: {} From 49dd74cd5a946c4a58f9b594d293511ce3ad5849 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:15:36 -0600 Subject: [PATCH 15/19] Update charts/spark-operator-chart/templates/controller/deployment.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- .../spark-operator-chart/templates/controller/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spark-operator-chart/templates/controller/deployment.yaml b/charts/spark-operator-chart/templates/controller/deployment.yaml index 5ec995d5b..c3684a329 100644 --- a/charts/spark-operator-chart/templates/controller/deployment.yaml +++ b/charts/spark-operator-chart/templates/controller/deployment.yaml @@ -124,7 +124,7 @@ spec: {{- end }} {{- with .Values.controller.volumeMounts }} volumeMounts: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.controller.resources }} resources: From 0790a5ef66137ed57860e9e56ae739fc060c7bef Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:15:51 -0600 Subject: [PATCH 16/19] Update charts/spark-operator-chart/templates/controller/deployment.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- .../spark-operator-chart/templates/controller/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spark-operator-chart/templates/controller/deployment.yaml b/charts/spark-operator-chart/templates/controller/deployment.yaml index c3684a329..2a1fd5f19 100644 --- a/charts/spark-operator-chart/templates/controller/deployment.yaml +++ b/charts/spark-operator-chart/templates/controller/deployment.yaml @@ -153,7 +153,7 @@ spec: {{- end }} {{- with .Values.controller.volumes }} volumes: - {{- toYaml . | nindent 6 }} + {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.controller.nodeSelector }} nodeSelector: From a8a3fe8bf25f0a7159c1d38a882bdb1280ccc0d6 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:16:02 -0600 Subject: [PATCH 17/19] Update charts/spark-operator-chart/templates/webhook/deployment.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/templates/webhook/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spark-operator-chart/templates/webhook/deployment.yaml b/charts/spark-operator-chart/templates/webhook/deployment.yaml index ff78f33c0..dead0d7c0 100644 --- a/charts/spark-operator-chart/templates/webhook/deployment.yaml +++ b/charts/spark-operator-chart/templates/webhook/deployment.yaml @@ -94,7 +94,7 @@ spec: {{- end }} {{- with .Values.webhook.volumeMounts }} volumeMounts: - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.webhook.resources }} resources: From df2247c1c01b41f997962ed29238dae0671e9510 Mon Sep 17 00:00:00 2001 From: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:16:11 -0600 Subject: [PATCH 18/19] Update charts/spark-operator-chart/templates/webhook/deployment.yaml Co-authored-by: Yi Chen Signed-off-by: Nicholas Gretzon <50811947+npgretz@users.noreply.github.com> --- charts/spark-operator-chart/templates/webhook/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spark-operator-chart/templates/webhook/deployment.yaml b/charts/spark-operator-chart/templates/webhook/deployment.yaml index dead0d7c0..e7026001c 100644 --- a/charts/spark-operator-chart/templates/webhook/deployment.yaml +++ b/charts/spark-operator-chart/templates/webhook/deployment.yaml @@ -123,7 +123,7 @@ spec: {{- end }} {{- with .Values.webhook.volumes }} volumes: - {{- toYaml . | nindent 6 }} + {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.webhook.nodeSelector }} nodeSelector: From 15978ba4ec8ecbb17e63a924c722a66468488850 Mon Sep 17 00:00:00 2001 From: Nick Gretzon Date: Wed, 6 Nov 2024 20:22:23 -0600 Subject: [PATCH 19/19] add additional securityContext to the controller deployment_test.yaml Signed-off-by: Nick Gretzon --- .../tests/controller/deployment_test.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/spark-operator-chart/tests/controller/deployment_test.yaml b/charts/spark-operator-chart/tests/controller/deployment_test.yaml index 3606142ac..f22dd1e58 100644 --- a/charts/spark-operator-chart/tests/controller/deployment_test.yaml +++ b/charts/spark-operator-chart/tests/controller/deployment_test.yaml @@ -359,6 +359,12 @@ tests: runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + privileged: false asserts: - equal: path: spec.template.spec.containers[0].securityContext @@ -367,6 +373,12 @@ tests: runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + privileged: false - it: Should add sidecars if `controller.sidecars` is set set: