search

SeldonIO / seldon-core

An MLOps framework to package, deploy, monitor and manage thousands of production machine learning models
https://www.seldon.io/tech/products/core/
Other
4.4k stars 832 forks source link

Set allowPrivilegeEscalation=false in executor #4409

Closed wumbrath closed 2 years ago

wumbrath commented 2 years ago

To be able to run Seldon in more restricted environments we need the executor container to have the securityContext.allowPrivilegeEscalation set to false.

Currently no value is set and according to the Kubernetes documentation the default value is not clearly specified. As a consequence some policies are blocking model deployments(like the privilege escalation one in Azure AKS).

As the container does not need privilege escalation it could have the property set here or allow the user to configure it via svcOrch.

Winfried Umbrath winfried.umbrath@mercedes-benz.com, Mercedes-Benz Tech Innovation GmbH, imprint

ukclivecox commented 2 years ago

This seems the place that needs to be configurable: https://github.com/SeldonIO/seldon-core/blob/685fe3d4691cf63ee9978aea5662911f3e7cefbe/operator/controllers/seldondeployment_engine.go#L339-L341

wumbrath commented 2 years ago

Yes, or just set to false, as the container does not need the privilege escalation.

ukclivecox commented 2 years ago

Could you do a PR for this. Would be much appreciated.

wumbrath commented 2 years ago

I'll try to find some time for it next week.