From 802a39fce3f201789327aabe053bcc510b9be339 Mon Sep 17 00:00:00 2001 From: Stanislav Simovski Date: Thu, 1 Apr 2021 20:01:27 +0300 Subject: [PATCH 1/2] Helm: no running as root by default --- helm/superset/templates/_helpers.tpl | 13 -------- helm/superset/templates/deployment-beat.yaml | 2 +- .../superset/templates/deployment-worker.yaml | 2 +- helm/superset/templates/deployment.yaml | 4 +-- helm/superset/templates/init-job.yaml | 4 ++- .../templates/secret-superset-config.yaml | 2 +- helm/superset/values.yaml | 32 +++++++++++++------ 7 files changed, 31 insertions(+), 28 deletions(-) diff --git a/helm/superset/templates/_helpers.tpl b/helm/superset/templates/_helpers.tpl index 67496aae16a2f..cb9735730a873 100644 --- a/helm/superset/templates/_helpers.tpl +++ b/helm/superset/templates/_helpers.tpl @@ -49,19 +49,6 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "superset-bootstrap" -}} -#!/bin/sh -{{ if .Values.additionalAptPackages }} -apt-get update -y \ - && apt-get install -y --no-install-recommends \ - {{ range .Values.additionalAptPackages }}{{ . }} {{ end }}\ - && rm -rf /var/lib/apt/lists/* -{{ end -}} -{{ if .Values.additionalRequirements }} -pip install {{ range .Values.additionalRequirements }}{{ . }} {{ end }} -{{ end -}} -{{ end -}} - {{- define "superset-config" }} import os from cachelib.redis import RedisCache diff --git a/helm/superset/templates/deployment-beat.yaml b/helm/superset/templates/deployment-beat.yaml index e926b0abf84dd..714d5f45b25cd 100644 --- a/helm/superset/templates/deployment-beat.yaml +++ b/helm/superset/templates/deployment-beat.yaml @@ -49,7 +49,7 @@ spec: release: {{ .Release.Name }} spec: securityContext: - runAsUser: 0 # Needed in order to allow pip install to work in bootstrap + runAsUser: {{ .Values.runAsUser }} {{- if .Values.supersetCeleryBeat.initContainers }} initContainers: {{- tpl (toYaml .Values.supersetCeleryBeat.initContainers) . | nindent 6 }} diff --git a/helm/superset/templates/deployment-worker.yaml b/helm/superset/templates/deployment-worker.yaml index f89c98c943750..4cf5034423c50 100644 --- a/helm/superset/templates/deployment-worker.yaml +++ b/helm/superset/templates/deployment-worker.yaml @@ -47,7 +47,7 @@ spec: release: {{ .Release.Name }} spec: securityContext: - runAsUser: 0 # Needed in order to allow pip install to work in bootstrap + runAsUser: {{ .Values.runAsUser }} {{- if .Values.supersetWorker.initContainers }} initContainers: {{- tpl (toYaml .Values.supersetWorker.initContainers) . | nindent 6 }} diff --git a/helm/superset/templates/deployment.yaml b/helm/superset/templates/deployment.yaml index efeea096abb38..456d33046fc40 100644 --- a/helm/superset/templates/deployment.yaml +++ b/helm/superset/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: # Force reload on config changes checksum/superset_config.py: {{ include "superset-config" . | sha256sum }} checksum/superset_init.sh: {{ tpl .Values.init.initscript . | sha256sum }} - checksum/superset_bootstrap.sh: {{ include "superset-bootstrap" . | sha256sum }} + checksum/superset_bootstrap.sh: {{ tpl .Values.bootstrapScript . | sha256sum }} checksum/connections: {{ .Values.supersetNode.connections | toYaml | sha256sum }} checksum/extraConfigs: {{ .Values.extraConfigs | toYaml | sha256sum }} checksum/extraSecrets: {{ .Values.extraSecrets | toYaml | sha256sum }} @@ -50,7 +50,7 @@ spec: release: {{ .Release.Name }} spec: securityContext: - runAsUser: 0 # Needed in order to allow pip install to work in bootstrap + runAsUser: {{ .Values.runAsUser }} {{- if .Values.supersetNode.initContainers }} initContainers: {{- tpl (toYaml .Values.supersetNode.initContainers) . | nindent 6 }} diff --git a/helm/superset/templates/init-job.yaml b/helm/superset/templates/init-job.yaml index 4645fcc64be15..9a4530d3c8ee2 100644 --- a/helm/superset/templates/init-job.yaml +++ b/helm/superset/templates/init-job.yaml @@ -28,7 +28,7 @@ spec: name: {{ template "superset.name" . }}-init-db spec: securityContext: - runAsUser: 0 # Needed in order to allow pip install to work in bootstrap + runAsUser: {{ .Values.runAsUser }} {{- if .Values.init.initContainers }} initContainers: {{- tpl (toYaml .Values.init.initContainers) . | nindent 6 }} @@ -57,6 +57,8 @@ spec: readOnly: true {{- end }} command: {{ tpl (toJson .Values.init.command) . }} + resources: +{{ toYaml .Values.init.resources | indent 10 }} volumes: - name: superset-config secret: diff --git a/helm/superset/templates/secret-superset-config.yaml b/helm/superset/templates/secret-superset-config.yaml index d8bd4f7ae7c0e..2f37da831100d 100644 --- a/helm/superset/templates/secret-superset-config.yaml +++ b/helm/superset/templates/secret-superset-config.yaml @@ -30,7 +30,7 @@ stringData: superset_init.sh: | {{- tpl .Values.init.initscript . | nindent 4 }} superset_bootstrap.sh: | -{{- include "superset-bootstrap" . | nindent 4 }} +{{- tpl .Values.bootstrapScript . | nindent 4 }} {{- if .Values.extraSecrets }} {{- range $path, $config := .Values.extraSecrets }} diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index 19a6d799c4e17..58cf6c495051d 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -21,15 +21,19 @@ replicaCount: 1 -## These requirements are used to build a requirements file which is then applied on init -## of superset containers -additionalRequirements: - - "psycopg2==2.8.5" - - "redis==3.2.1" - -## These apt packages are applied on init of superset containers -additionalAptPackages: {} - # - nano +# User ID directive +# Note that this user must have appropriate permissions to run the bootstrap script +runAsUser: 1000 + +# Install additional packages and do any other bootstrap configuration in this script +# For production clusters it's recommended to build own image with this step done in CI +bootstrapScript: | + #!/bin/bash + # apt-get update -y &&\ + # apt-get install -y --no-install-recommends nano &&\ + # rm -rf /var/lib/apt/lists/* + # pip install psycopg2==2.8.5 redis==3.2.1 + if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{ .Values.runAsUser }}" > ~/bootstrap; fi ## The name of the secret which we will use to generate a superset_config.py file ## Note: this secret must have the key superset_config.py in it and can include other files as well @@ -198,6 +202,16 @@ supersetCeleryBeat: ## ## Init job configuration init: + # Configure resources + # Warning: fab commant consumes a lot of ram and can + # cause the process to be killed due to OOM if it exceeds limit + resources: {} + # limits: + # cpu: + # memory: + # requests: + # cpu: + # memory: command: - "/bin/sh" - "-c" From 2d15c1aa0ab526c2ee6747392bad0111c0270345 Mon Sep 17 00:00:00 2001 From: Stanislav Simovski Date: Fri, 2 Apr 2021 14:37:34 +0300 Subject: [PATCH 2/2] Maintain for backwards compatibility Reverted uid and script to work same way as they previously did to maintain backwards compatibility. Added clarification in comments that this is not a recommended production configuration. --- helm/superset/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index 58cf6c495051d..d927c3d6b3765 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -21,18 +21,18 @@ replicaCount: 1 -# User ID directive -# Note that this user must have appropriate permissions to run the bootstrap script -runAsUser: 1000 +# User ID directive. This user must have enough permissions to run the bootstrap script +# Runn containers as root is not recommended in production. Change this to another UID - e.g. 1000 to be more secure +runAsUser: 0 # Install additional packages and do any other bootstrap configuration in this script # For production clusters it's recommended to build own image with this step done in CI bootstrapScript: | #!/bin/bash - # apt-get update -y &&\ - # apt-get install -y --no-install-recommends nano &&\ - # rm -rf /var/lib/apt/lists/* - # pip install psycopg2==2.8.5 redis==3.2.1 + apt-get update -y &&\ + apt-get install -y --no-install-recommends nano &&\ + rm -rf /var/lib/apt/lists/* + pip install psycopg2==2.8.5 redis==3.2.1 if [ ! -f ~/bootstrap ]; then echo "Running Superset with uid {{ .Values.runAsUser }}" > ~/bootstrap; fi ## The name of the secret which we will use to generate a superset_config.py file