Helm chart: Add readOnlyRootFilesystem to securityContext

Added readOnlyRootFilesystem to default securityContext to all helm charts. Releated to issue #129. Signed-off-by: Lianhao Lu <[email protected]>
opea-project · Jul 5, 2024 · 9367a9c · 9367a9c
1 parent 8ffc3bc
commit 9367a9c
Show file tree

Hide file tree

Showing 25 changed files with 80 additions and 2 deletions.
diff --git a/helm-charts/chatqna/gaudi-values.yaml b/helm-charts/chatqna/gaudi-values.yaml
@@ -19,6 +19,7 @@ service:
   port: 8888
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/chatqna/templates/deployment.yaml b/helm-charts/chatqna/templates/deployment.yaml
@@ -42,6 +42,9 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           ports:
             - name: chatqna
               containerPort: {{ .Values.port }}
@@ -64,6 +67,9 @@ spec:
                 #              port: {{ .Values.port }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/chatqna/values.yaml b/helm-charts/chatqna/values.yaml
@@ -19,6 +19,7 @@ service:
   port: 8888
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/codegen/gaudi-values.yaml b/helm-charts/codegen/gaudi-values.yaml
@@ -19,6 +19,7 @@ service:
   port: 7778
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/codegen/templates/deployment.yaml b/helm-charts/codegen/templates/deployment.yaml
@@ -38,6 +38,9 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           ports:
             - name: codegen
               containerPort: {{ .Values.port }}
@@ -60,6 +63,9 @@ spec:
                 #              port: {{ .Values.port }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/codegen/values.yaml b/helm-charts/codegen/values.yaml
@@ -19,6 +19,7 @@ service:
   port: 7778
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/embedding-usvc/templates/deployment.yaml b/helm-charts/common/embedding-usvc/templates/deployment.yaml
@@ -52,8 +52,14 @@ spec:
             - name: embedding-usvc
               containerPort:  {{ .Values.service.targetPort }}
               protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/embedding-usvc/values.yaml b/helm-charts/common/embedding-usvc/values.yaml
@@ -24,6 +24,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/llm-uservice/gaudi-values.yaml b/helm-charts/common/llm-uservice/gaudi-values.yaml
@@ -24,6 +24,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/llm-uservice/templates/deployment.yaml b/helm-charts/common/llm-uservice/templates/deployment.yaml
@@ -34,6 +34,8 @@ spec:
               value: "http://{{ .Release.Name }}-tgi"
             - name: HUGGINGFACEHUB_API_TOKEN
               value: {{ .Values.global.HUGGINGFACEHUB_API_TOKEN | quote}}
+            - name: HF_HOME
+              value: "/tmp/.cache/huggingface"
             - name: http_proxy
               value: {{ .Values.global.http_proxy }}
             - name: https_proxy
@@ -54,6 +56,9 @@ spec:
             - name: llm-uservice
               containerPort: 9000
               protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           startupProbe:
             exec:
               command:
@@ -64,6 +69,9 @@ spec:
             failureThreshold: 120
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/llm-uservice/values.yaml b/helm-charts/common/llm-uservice/values.yaml
@@ -24,6 +24,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/redis-vector-db/templates/deployment.yaml b/helm-charts/common/redis-vector-db/templates/deployment.yaml
@@ -38,6 +38,8 @@ spec:
               name: data-volume
             - mountPath: /redisinsight
               name: redisinsight-volume
+            - mountPath: /tmp
+              name: tmp
           ports:
           {{- $redisServicePort := index .Values.service.ports 0 }}
             {{- range .Values.service.ports }}
@@ -58,6 +60,8 @@ spec:
           emptyDir: {}
         - name: redisinsight-volume
           emptyDir: {}
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/redis-vector-db/values.yaml b/helm-charts/common/redis-vector-db/values.yaml
@@ -21,6 +21,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/reranking-usvc/templates/deployment.yaml b/helm-charts/common/reranking-usvc/templates/deployment.yaml
@@ -52,8 +52,14 @@ spec:
             - name: reranking-usvc
               containerPort:  {{ .Values.service.targetPort }}
               protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/reranking-usvc/values.yaml b/helm-charts/common/reranking-usvc/values.yaml
@@ -24,6 +24,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/retriever-usvc/templates/deployment.yaml b/helm-charts/common/retriever-usvc/templates/deployment.yaml
@@ -36,6 +36,8 @@ spec:
               value: "redis://{{ .Release.Name }}-redis-vector-db:6379"
             - name: INDEX_NAME
               value: "rag-redis"
+            - name: EASYOCR_MODULE_PATH
+              value: "/tmp/.EasyOCR"
             - name: http_proxy
               value: {{ .Values.global.http_proxy }}
             - name: https_proxy
@@ -48,6 +50,8 @@ spec:
               value: {{ .Values.global.LANGCHAIN_API_KEY }}
             - name: LANGCHAIN_PROJECT
               value: "opea-retriever-service"
+            - name: HF_HOME
+              value: "/tmp/.cache/huggingface"
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}"
@@ -56,6 +60,9 @@ spec:
             - name: retriever-usvc
               containerPort: 7000
               protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           startupProbe:
             exec:
               command:
@@ -74,6 +81,9 @@ spec:
 #              port: 7000
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/retriever-usvc/values.yaml b/helm-charts/common/retriever-usvc/values.yaml
@@ -23,6 +23,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/tei/templates/deployment.yaml b/helm-charts/common/tei/templates/deployment.yaml
@@ -44,6 +44,8 @@ spec:
               value: /tmp
             - name: TRANSFORMERS_CACHE
               value: /tmp/transformers_cache
+            - name: HF_HOME
+              value: "/tmp/.cache/huggingface"
           securityContext:
             {{- if .Values.global.modelUseHostPath }}
             {}
@@ -57,6 +59,8 @@ spec:
               name: model-volume
             - mountPath: /dev/shm
               name: shm
+            - mountPath: /tmp
+              name: tmp
           ports:
             - name: http
               containerPort: {{ .Values.port }}
@@ -76,6 +80,8 @@ spec:
           emptyDir:
             medium: Memory
             sizeLimit: {{ .Values.shmSize }}
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/tei/values.yaml b/helm-charts/common/tei/values.yaml
@@ -26,6 +26,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/teirerank/templates/NOTES.txt b/helm-charts/common/teirerank/templates/NOTES.txt
@@ -13,7 +13,7 @@
 {{- end }}
 
 2.   Use this command to verify teirerank service:
-  curl ${teirerank_svc_ip}/embed \
+  curl ${teirerank_svc_ip}/rerank\
     -X POST \
-    -d '{"inputs":"What is Deep Learning?"}' \
+    -d '{"query":"What is Deep Learning?", "texts": ["Deep Learning is not...", "Deep learning is..."]}' \
     -H 'Content-Type: application/json'
diff --git a/helm-charts/common/teirerank/templates/deployment.yaml b/helm-charts/common/teirerank/templates/deployment.yaml
@@ -44,6 +44,8 @@ spec:
               value: /tmp
             - name: TRANSFORMERS_CACHE
               value: /tmp/transformers_cache
+            - name: HF_HOME
+              value: "/tmp/.cache/huggingface"
           securityContext:
             {{- if .Values.global.modelUseHostPath }}
             {}
@@ -57,6 +59,8 @@ spec:
               name: model-volume
             - mountPath: /dev/shm
               name: shm
+            - mountPath: /tmp
+              name: tmp
           ports:
             - name: http
               containerPort: {{ .Values.port }}
@@ -76,6 +80,8 @@ spec:
           emptyDir:
             medium: Memory
             sizeLimit: {{ .Values.shmSize }}
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/teirerank/values.yaml b/helm-charts/common/teirerank/values.yaml
@@ -26,6 +26,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/tgi/gaudi-values.yaml b/helm-charts/common/tgi/gaudi-values.yaml
@@ -25,6 +25,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

diff --git a/helm-charts/common/tgi/templates/deployment.yaml b/helm-charts/common/tgi/templates/deployment.yaml
@@ -50,6 +50,8 @@ spec:
               value: /tmp/numba_cache
             - name: TRANSFORMERS_CACHE
               value: /tmp/transformers_cache
+            - name: HF_HOME
+              value: "/tmp/.cache/huggingface"
           securityContext:
             {{- if .Values.global.modelUseHostPath }}
             {}
@@ -61,6 +63,8 @@ spec:
           volumeMounts:
             - mountPath: /data
               name: model-volume
+            - mountPath: /tmp
+              name: tmp
           ports:
             - name: http
               containerPort: {{ .Values.port }}
@@ -76,6 +80,8 @@ spec:
           {{- else }}
           emptyDir: {}
           {{- end }}
+        - name: tmp
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/helm-charts/common/tgi/values.yaml b/helm-charts/common/tgi/values.yaml
@@ -25,6 +25,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000