jobs-api: introduce securityContext in the pod template (!75) · Merge requests · repos / cloud / toolforge / Jobs API

Arturo Borrero Gonzalez requested to merge arturo-58-jobs-api-introduce-s into main Apr 17, 2024

Introduce a stricter pod template by including an explicit securityContext to limit what a pod can and cannot do.

This is part of the PSP migration. This will help us later when we start enforcing that these values are always present for used-defined workloads.

Anyway, the kubernetes defaults for these values may or may not be what we are expecting, so setting them explicitly should be fine even if not part of the PSP migration.

This includes a new getent syscall everytime a job is instantiated within the API webservice. Because the new nsswitch config, this getent call will be done via the sssd socket, which will hit the the hostpath mount, and then the k8s worker node sssd daemon, then LDAP.

Bug: T362050 Signed-off-by: Arturo Borrero Gonzalez aborrero@wikimedia.org

Admin message

Admin message

jobs-api: introduce securityContext in the pod template

Merge request reports