This is an automated email from the ASF dual-hosted git repository. pingsutw pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push: new 5fb27924 SUBMARINE-1279. Fix securitycontext problems after importing istio and changing training-operator 5fb27924 is described below commit 5fb279241c5dc6971d9d62557bc9e7f1e8735493 Author: cdmikechen <cdmikec...@hotmail.com> AuthorDate: Sat May 28 14:05:34 2022 +0800 SUBMARINE-1279. Fix securitycontext problems after importing istio and changing training-operator ### What is this PR for? Fix securitycontext problems after importing istio and changing training-operator. ### What type of PR is it? Bug Fix ### Todos * [x] - Add NET_ADMIN or NET_RAW in PodSecurityPolicy * [x] - Replace ClusterRoleBinding in rbac-kubeflow * [x] - add a `patch` verbs in `events` resource ### What is the Jira issue? https://issues.apache.org/jira/browse/SUBMARINE-1279 ### How should this be tested? Need to open PodSecurityPolicy option in minikube ### Screenshots (if appropriate) No ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: cdmikechen <cdmikec...@hotmail.com> Signed-off-by: Kevin <pings...@apache.org> Closes #964 from cdmikechen/SUBMARINE-1279 and squashes the following commits: 11f823a3 [cdmikechen] Fix securitycontext problems after importing istio and changing training-operator --- .../notebook-controller/templates/cluster-role.yaml | 1 + helm-charts/submarine/templates/psp.yaml | 5 ++++- helm-charts/submarine/templates/rbac-kubeflow.yaml | 17 ++--------------- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml b/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml index bf7e9768..9f187425 100644 --- a/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml +++ b/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml @@ -51,6 +51,7 @@ rules: - list - watch - create + - patch - apiGroups: - kubeflow.org resources: diff --git a/helm-charts/submarine/templates/psp.yaml b/helm-charts/submarine/templates/psp.yaml index dd6cf072..e7a3f337 100644 --- a/helm-charts/submarine/templates/psp.yaml +++ b/helm-charts/submarine/templates/psp.yaml @@ -21,7 +21,10 @@ apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} metadata: name: submarine-anyuid spec: - privileged: false + privileged: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW volumes: - configMap - downwardAPI diff --git a/helm-charts/submarine/templates/rbac-kubeflow.yaml b/helm-charts/submarine/templates/rbac-kubeflow.yaml index 00f0af33..9d26209f 100644 --- a/helm-charts/submarine/templates/rbac-kubeflow.yaml +++ b/helm-charts/submarine/templates/rbac-kubeflow.yaml @@ -44,27 +44,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: tf-job-operator-anyuid + name: training-operator-anyuid roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubeflow-operator-anyuid subjects: - kind: ServiceAccount - name: tf-job-operator - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: pytorch-operator-anyuid -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubeflow-operator-anyuid -subjects: - - kind: ServiceAccount - name: pytorch-operator + name: training-operator namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@submarine.apache.org For additional commands, e-mail: dev-h...@submarine.apache.org