Skip to content

Add pod security context from func.yaml #2108

New issue
New issue
Closed as not planned
#2174
Closed as not planned
Add pod security context from func.yaml#2108
#2174
Labels
kind/good-first-issueDenotes an issue ready for a new contributor.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@zalsader

Description

@zalsader
zalsader
opened on Dec 20, 2023

It would be nice to be able to set the pod security context in func.yaml. I ran into this when I was trying to mount a pvc, and I could not write to the pvc. After a lot of digging, I fould that I needed to set fsGroup like this:

kubectl patch services.serving/<name> --type merge \
    -p '{"spec": {"template": {"spec": {"securityContext": {"fsGroup":1000}}}}}'

This is because the default group is 1000 (I used golang's os/user to find it). I would prefer to be able to set that from func.yaml, or have that set automatically to some sane default.

current func.yaml 
specVersion: 0.35.0
name: consumer
runtime: go
registry: <redacted>
image: <redacted>
imageDigest: <redacted>
created: 2023-12-13T00:39:05.888786906-05:00
build:
  builder: pack
run:
  volumes:
  - presistentVolumeClaim:
      claimName: knative-pc-cephfs
    path: /files
deploy:
  namespace: default
Here's the currently generated service:

You can see that no securityContext data is in the podspec.

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  annotations:
    dapr.io/app-id: consumer
    dapr.io/app-port: "8080"
    dapr.io/enable-api-logging: "true"
    dapr.io/enabled: "true"
    dapr.io/metrics-port: "9092"
    serving.knative.dev/creator: kubernetes-admin
    serving.knative.dev/lastModifier: kubernetes-admin
  creationTimestamp: "2023-12-20T05:20:10Z"
  generation: 1
  labels:
    boson.dev/function: "true"
    boson.dev/runtime: go
    function.knative.dev: "true"
    function.knative.dev/name: consumer
    function.knative.dev/runtime: go
  name: consumer
  namespace: default
  resourceVersion: "11510806"
  uid: ...
spec:
  template:
    metadata:
      annotations:
        dapr.io/app-id: consumer
        dapr.io/app-port: "8080"
        dapr.io/enable-api-logging: "true"
        dapr.io/enabled: "true"
        dapr.io/metrics-port: "9092"
      creationTimestamp: null
      labels:
        boson.dev/function: "true"
        boson.dev/runtime: go
        function.knative.dev: "true"
        function.knative.dev/name: consumer
        function.knative.dev/runtime: go
    spec:
      containerConcurrency: 0
      containers:
      - env:
        - name: BUILT
          value: 20231220T002010
        - name: ADDRESS
          value: 0.0.0.0
        image: <redacted>
        livenessProbe:
          httpGet:
            path: /health/liveness
            port: 0
        name: user-container
        readinessProbe:
          httpGet:
            path: /health/readiness
            port: 0
          successThreshold: 1
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /files
          name: pvc-knative-pc-cephfs
      enableServiceLinks: false
      timeoutSeconds: 300
      volumes:
      - name: pvc-knative-pc-cephfs
        persistentVolumeClaim:
          claimName: knative-pc-cephfs
  traffic:
  - latestRevision: true
    percent: 100

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/good-first-issueDenotes an issue ready for a new contributor.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    Functions Roadmap

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions