Closed DaMandal0rian closed 1 month ago
PR Description updated to latest commit (https://github.com/subspace/infra/commit/f45b7a9fa02ba8458694442e3c6553f1e676b32b)
⏱️ Estimated effort to review [1-5] | 4, because the PR involves multiple Kubernetes configurations across different resources such as ConfigMaps, StatefulSets, PVCs, and Services. Each of these configurations needs to be reviewed for correctness, security, and best practices in Kubernetes deployments. Additionally, the integration with AWS EBS requires scrutiny to ensure that there are no misconfigurations that could lead to performance issues or data loss. |
🧪 Relevant tests | No |
🔍 Possible issues | Possible Misconfiguration: The use of environment variables like `${DOCKER_TAG}` and `${POT_EXTERNAL_ENTROPY}` in the ConfigMap and StatefulSet configurations suggests a dependency on external configuration management. If these variables are not properly set in the environment where Kubernetes is running, it could lead to runtime errors or misconfigured deployments. |
🔒 Security concerns | No |
relevant file | kubernetes/devnet/base/farmer/archival-node-configmap.yaml |
suggestion | Consider adding validation for ConfigMap data fields to ensure that they are not empty. This can be done by using an admission controller or a custom operator that validates the configurations before they are applied to the cluster. This is important to prevent deployment of nodes with incomplete configurations, which could lead to failures in the network. [important] |
relevant line | DOCKER_TAG: "${DOCKER_TAG}" |
relevant file | kubernetes/devnet/base/farmer/archival-node.yaml |
suggestion | It's recommended to parameterize the `replicas` field in the StatefulSet configuration to allow easy scaling of nodes. This can be managed through external configuration or command-line arguments when deploying or updating the StatefulSet. [medium] |
relevant line | replicas: 1 |
relevant file | kubernetes/devnet/base/farmer/pvc.yaml |
suggestion | For the PersistentVolumeClaims, consider specifying a more detailed `accessModes` setting depending on the actual usage pattern of the nodes. If concurrent access from multiple nodes is not required, sticking to `ReadWriteOnce` is fine, but if you anticipate such a need, `ReadWriteMany` might be necessary. [medium] |
relevant line | accessModes: |
relevant file | kubernetes/devnet/base/farmer/service.yaml |
suggestion | Ensure that the service ports configuration aligns with the actual ports used by the applications within the pods. Misconfigured ports can lead to inaccessible services or security risks if unintended ports are exposed. [important] |
relevant line | port: 30333 |
Category | Suggestions |
Best practice |
Replace hardcoded user/group IDs in security contexts with more flexible security settings.___ **It is recommended to avoid usingrunAsUser , runAsGroup , and fsGroup with hardcoded user/group IDs for better flexibility and security practices. Instead, consider defining security contexts that do not require specific numeric IDs.** [kubernetes/devnet/base/farmer/archival-node.yaml [17-21]](https://github.com/subspace/infra/pull/309/files#diff-8c1afee90a6aa3bf92e3b493798326f18dc85aa438cbe649d25951fdcd2733e2R17-R21) ```diff securityContext: - fsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 ``` |
Security |
Validate or sanitize the
___
**The |
Enhancement |
Add default values or error handling for environment variables to prevent runtime errors.___ **The use of$(POT_EXTERNAL_ENTROPY) in the command arguments without any default or error handling could lead to failures if the variable is not set. Consider providing a default value or handling the case where it might not be set.** [kubernetes/devnet/base/farmer/archival-node.yaml [87-88]](https://github.com/subspace/infra/pull/309/files#diff-8c1afee90a6aa3bf92e3b493798326f18dc85aa438cbe649d25951fdcd2733e2R87-R88) ```diff - "--pot-external-entropy" -- "$(POT_EXTERNAL_ENTROPY)" +- "${POT_EXTERNAL_ENTROPY:-default_entropy_value}" ``` |
Type
Enhancement
Description
Changes walkthrough
archival-node-configmap.yaml
Add ConfigMap for Archival Nodes
kubernetes/devnet/base/farmer/archival-node-configmap.yaml
identifiers.
farmer-node-configmap.yaml
Add ConfigMap for Farmer Nodes
kubernetes/devnet/base/farmer/farmer-node-configmap.yaml
node configurations.
pvc.yaml
Define PVCs for Nodes
kubernetes/devnet/base/farmer/pvc.yaml
specific storage requirements.
service.yaml
Configure Network Service for Farmer Node
kubernetes/devnet/base/farmer/service.yaml
for the farmer node.
storageclass-aws.yaml
Setup AWS EBS StorageClass
kubernetes/devnet/base/farmer/storageclass-aws.yaml
policies.
archival-node.yaml
Setup StatefulSet for Archival Node
kubernetes/devnet/base/farmer/archival-node.yaml
specifications.
archival node.
operations.