This is an automated email from the ASF dual-hosted git repository.
pingsutw pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push:
new 5fb27924 SUBMARINE-1279. Fix securitycontext problems after importing
istio and changing training-operator
5fb27924 is described below
commit 5fb279241c5dc6971d9d62557bc9e7f1e8735493
Author: cdmikechen <cdmikec...@hotmail.com>
AuthorDate: Sat May 28 14:05:34 2022 +0800
SUBMARINE-1279. Fix securitycontext problems after importing istio and
changing training-operator
### What is this PR for?
Fix securitycontext problems after importing istio and changing
training-operator.
### What type of PR is it?
Bug Fix
### Todos
* [x] - Add NET_ADMIN or NET_RAW in PodSecurityPolicy
* [x] - Replace ClusterRoleBinding in rbac-kubeflow
* [x] - add a `patch` verbs in `events` resource
### What is the Jira issue?
https://issues.apache.org/jira/browse/SUBMARINE-1279
### How should this be tested?
Need to open PodSecurityPolicy option in minikube
### Screenshots (if appropriate)
No
### Questions:
* Do the license files need updating? No
* Are there breaking changes for older versions? No
* Does this need new documentation? No
Author: cdmikechen <cdmikec...@hotmail.com>
Signed-off-by: Kevin <pings...@apache.org>
Closes #964 from cdmikechen/SUBMARINE-1279 and squashes the following
commits:
11f823a3 [cdmikechen] Fix securitycontext problems after importing istio
and changing training-operator
---
.../notebook-controller/templates/cluster-role.yaml | 1 +
helm-charts/submarine/templates/psp.yaml | 5 ++++-
helm-charts/submarine/templates/rbac-kubeflow.yaml | 17 ++---------------
3 files changed, 7 insertions(+), 16 deletions(-)
diff --git
a/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml
b/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml
index bf7e9768..9f187425 100644
---
a/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml
+++
b/helm-charts/submarine/charts/notebook-controller/templates/cluster-role.yaml
@@ -51,6 +51,7 @@ rules:
- list
- watch
- create
+ - patch
- apiGroups:
- kubeflow.org
resources:
diff --git a/helm-charts/submarine/templates/psp.yaml
b/helm-charts/submarine/templates/psp.yaml
index dd6cf072..e7a3f337 100644
--- a/helm-charts/submarine/templates/psp.yaml
+++ b/helm-charts/submarine/templates/psp.yaml
@@ -21,7 +21,10 @@ apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
metadata:
name: submarine-anyuid
spec:
- privileged: false
+ privileged: true
+ allowedCapabilities:
+ - NET_ADMIN
+ - NET_RAW
volumes:
- configMap
- downwardAPI
diff --git a/helm-charts/submarine/templates/rbac-kubeflow.yaml
b/helm-charts/submarine/templates/rbac-kubeflow.yaml
index 00f0af33..9d26209f 100644
--- a/helm-charts/submarine/templates/rbac-kubeflow.yaml
+++ b/helm-charts/submarine/templates/rbac-kubeflow.yaml
@@ -44,27 +44,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: tf-job-operator-anyuid
+ name: training-operator-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-operator-anyuid
subjects:
- kind: ServiceAccount
- name: tf-job-operator
- namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: pytorch-operator-anyuid
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kubeflow-operator-anyuid
-subjects:
- - kind: ServiceAccount
- name: pytorch-operator
+ name: training-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@submarine.apache.org
For additional commands, e-mail: dev-h...@submarine.apache.org
