Merge pull request #198 from FNNDSC/k8s-runasuser

runAsUser configurable by env var
FNNDSC · Feb 18, 2022 · d277e43 · d277e43
2 parents 87b68ae + 192e35f
commit d277e43
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 6 deletions.
diff --git a/README.rst b/README.rst
@@ -174,3 +174,18 @@ Assuming the docker container ID of pman is `$pman`, you can dump this log by
 .. code-block:: bash
 
     $> docker exec $pman cat /tmp/debug.log
+
+***************************
+Special Cases In Production
+***************************
+
+When using NFS for kubernetes volumes, it might be necessary to
+set the container user as someone with permissions to the NFS share.
+
+One solution is to use ``securityContext.runAsUser``. ``pman`` supports
+this option via environmental variables:
+
+.. code-block:: env
+
+    SECURITYCONTEXT_RUN_AS_USER=1234
+    SECURITYCONTEXT_RUN_AS_GROUP=5678
diff --git a/pman/config.py b/pman/config.py
@@ -41,6 +41,8 @@ def __init__(self):
 
         if self.CONTAINER_ENV == 'kubernetes':
             self.JOB_NAMESPACE = env('JOB_NAMESPACE', 'default')
+            self.SECURITYCONTEXT_RUN_AS_USER = env.int('SECURITYCONTEXT_RUN_AS_USER', None)
+            self.SECURITYCONTEXT_RUN_AS_GROUP = env.int('SECURITYCONTEXT_RUN_AS_GROUP', None)
 
         if self.CONTAINER_ENV == 'cromwell':
             self.CROMWELL_URL = env('CROMWELL_URL')

diff --git a/pman/kubernetesmgr.py b/pman/kubernetesmgr.py
@@ -121,15 +121,23 @@ def create_job(self, image, command, name, resources_dict, mountdir=None) -> V1J
                    k_client.V1EnvVar(name='NVIDIA_DRIVER_CAPABILITIES',
                                      value='compute,utility'),
                    k_client.V1EnvVar(name='NVIDIA_REQUIRE_CUDA', value='cuda>=9.0')],
+
+        security_context = {
+            'allow_privilege_escalation': False,
+            'capabilities': k_client.V1Capabilities(drop=['ALL'])
+        }
+
+        if self.config['SECURITYCONTEXT_RUN_AS_USER']:
+            security_context['run_as_user'] = self.config['SECURITYCONTEXT_RUN_AS_USER']
+        if self.config['SECURITYCONTEXT_RUN_AS_GROUP']:
+            security_context['run_as_group'] = self.config['SECURITYCONTEXT_RUN_AS_GROUP']
+
         container = k_client.V1Container(
             name=name,
             image=image,
             env=env,
             command=shlex.split(command),
-            security_context=k_client.V1SecurityContext(
-                allow_privilege_escalation=False,
-                capabilities=k_client.V1Capabilities(drop=['ALL'])
-            ),
+            security_context=k_client.V1SecurityContext(**security_context),
             resources=k_client.V1ResourceRequirements(limits=limits, requests=requests),
             volume_mounts=[k_client.V1VolumeMount(mount_path='/share',
                                                   name='storebase')]

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -1,5 +1,5 @@
-Flask==1.1.2
-Flask-RESTful==0.3.8
+Flask==1.1.4
+Flask-RESTful==0.3.9
 docker==4.4.4
 openshift==0.12.0
 kubernetes==12.0.1
@@ -9,3 +9,6 @@ environs==9.3.2
 emoji==1.2.0
 cromwell-tools==2.4.1
 pyserde==0.6.0
+
+# https://github.com/pallets/markupsafe/issues/284
+markupsafe>=1.1.1,<2.1.0