From 9367a9ce96c9e89098408e0c9078368571c38ef2 Mon Sep 17 00:00:00 2001 From: Lianhao Lu Date: Tue, 2 Jul 2024 16:35:13 +0800 Subject: [PATCH] Helm chart: Add readOnlyRootFilesystem to securityContext Added readOnlyRootFilesystem to default securityContext to all helm charts. Releated to issue #129. Signed-off-by: Lianhao Lu --- helm-charts/chatqna/gaudi-values.yaml | 1 + helm-charts/chatqna/templates/deployment.yaml | 6 ++++++ helm-charts/chatqna/values.yaml | 1 + helm-charts/codegen/gaudi-values.yaml | 1 + helm-charts/codegen/templates/deployment.yaml | 6 ++++++ helm-charts/codegen/values.yaml | 1 + .../common/embedding-usvc/templates/deployment.yaml | 6 ++++++ helm-charts/common/embedding-usvc/values.yaml | 1 + helm-charts/common/llm-uservice/gaudi-values.yaml | 1 + .../common/llm-uservice/templates/deployment.yaml | 8 ++++++++ helm-charts/common/llm-uservice/values.yaml | 1 + .../common/redis-vector-db/templates/deployment.yaml | 4 ++++ helm-charts/common/redis-vector-db/values.yaml | 1 + .../common/reranking-usvc/templates/deployment.yaml | 6 ++++++ helm-charts/common/reranking-usvc/values.yaml | 1 + .../common/retriever-usvc/templates/deployment.yaml | 10 ++++++++++ helm-charts/common/retriever-usvc/values.yaml | 1 + helm-charts/common/tei/templates/deployment.yaml | 6 ++++++ helm-charts/common/tei/values.yaml | 1 + helm-charts/common/teirerank/templates/NOTES.txt | 4 ++-- helm-charts/common/teirerank/templates/deployment.yaml | 6 ++++++ helm-charts/common/teirerank/values.yaml | 1 + helm-charts/common/tgi/gaudi-values.yaml | 1 + helm-charts/common/tgi/templates/deployment.yaml | 6 ++++++ helm-charts/common/tgi/values.yaml | 1 + 25 files changed, 80 insertions(+), 2 deletions(-) diff --git a/helm-charts/chatqna/gaudi-values.yaml b/helm-charts/chatqna/gaudi-values.yaml index 53440022..013d7c19 100644 --- a/helm-charts/chatqna/gaudi-values.yaml +++ b/helm-charts/chatqna/gaudi-values.yaml @@ -19,6 +19,7 @@ service: port: 8888 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/chatqna/templates/deployment.yaml b/helm-charts/chatqna/templates/deployment.yaml index 8fce13c7..48218483 100644 --- a/helm-charts/chatqna/templates/deployment.yaml +++ b/helm-charts/chatqna/templates/deployment.yaml @@ -42,6 +42,9 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - mountPath: /tmp + name: tmp ports: - name: chatqna containerPort: {{ .Values.port }} @@ -64,6 +67,9 @@ spec: # port: {{ .Values.port }} resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/chatqna/values.yaml b/helm-charts/chatqna/values.yaml index b8153544..64a1ac89 100644 --- a/helm-charts/chatqna/values.yaml +++ b/helm-charts/chatqna/values.yaml @@ -19,6 +19,7 @@ service: port: 8888 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/codegen/gaudi-values.yaml b/helm-charts/codegen/gaudi-values.yaml index 231103c8..6ecad53a 100644 --- a/helm-charts/codegen/gaudi-values.yaml +++ b/helm-charts/codegen/gaudi-values.yaml @@ -19,6 +19,7 @@ service: port: 7778 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/codegen/templates/deployment.yaml b/helm-charts/codegen/templates/deployment.yaml index bbf04f90..03e4eed3 100644 --- a/helm-charts/codegen/templates/deployment.yaml +++ b/helm-charts/codegen/templates/deployment.yaml @@ -38,6 +38,9 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - mountPath: /tmp + name: tmp ports: - name: codegen containerPort: {{ .Values.port }} @@ -60,6 +63,9 @@ spec: # port: {{ .Values.port }} resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/codegen/values.yaml b/helm-charts/codegen/values.yaml index 63b68bd5..75efa592 100644 --- a/helm-charts/codegen/values.yaml +++ b/helm-charts/codegen/values.yaml @@ -19,6 +19,7 @@ service: port: 7778 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/embedding-usvc/templates/deployment.yaml b/helm-charts/common/embedding-usvc/templates/deployment.yaml index 5d50e8de..db651ea5 100644 --- a/helm-charts/common/embedding-usvc/templates/deployment.yaml +++ b/helm-charts/common/embedding-usvc/templates/deployment.yaml @@ -52,8 +52,14 @@ spec: - name: embedding-usvc containerPort: {{ .Values.service.targetPort }} protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/embedding-usvc/values.yaml b/helm-charts/common/embedding-usvc/values.yaml index e5f8973e..0df6a93f 100644 --- a/helm-charts/common/embedding-usvc/values.yaml +++ b/helm-charts/common/embedding-usvc/values.yaml @@ -24,6 +24,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/llm-uservice/gaudi-values.yaml b/helm-charts/common/llm-uservice/gaudi-values.yaml index 15cca31e..cc2280bf 100644 --- a/helm-charts/common/llm-uservice/gaudi-values.yaml +++ b/helm-charts/common/llm-uservice/gaudi-values.yaml @@ -24,6 +24,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/llm-uservice/templates/deployment.yaml b/helm-charts/common/llm-uservice/templates/deployment.yaml index d9aa5308..dc1d9e8a 100644 --- a/helm-charts/common/llm-uservice/templates/deployment.yaml +++ b/helm-charts/common/llm-uservice/templates/deployment.yaml @@ -34,6 +34,8 @@ spec: value: "http://{{ .Release.Name }}-tgi" - name: HUGGINGFACEHUB_API_TOKEN value: {{ .Values.global.HUGGINGFACEHUB_API_TOKEN | quote}} + - name: HF_HOME + value: "/tmp/.cache/huggingface" - name: http_proxy value: {{ .Values.global.http_proxy }} - name: https_proxy @@ -54,6 +56,9 @@ spec: - name: llm-uservice containerPort: 9000 protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp startupProbe: exec: command: @@ -64,6 +69,9 @@ spec: failureThreshold: 120 resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/llm-uservice/values.yaml b/helm-charts/common/llm-uservice/values.yaml index 1dabd8c2..5c246afd 100644 --- a/helm-charts/common/llm-uservice/values.yaml +++ b/helm-charts/common/llm-uservice/values.yaml @@ -24,6 +24,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/redis-vector-db/templates/deployment.yaml b/helm-charts/common/redis-vector-db/templates/deployment.yaml index cb398942..575755c8 100644 --- a/helm-charts/common/redis-vector-db/templates/deployment.yaml +++ b/helm-charts/common/redis-vector-db/templates/deployment.yaml @@ -38,6 +38,8 @@ spec: name: data-volume - mountPath: /redisinsight name: redisinsight-volume + - mountPath: /tmp + name: tmp ports: {{- $redisServicePort := index .Values.service.ports 0 }} {{- range .Values.service.ports }} @@ -58,6 +60,8 @@ spec: emptyDir: {} - name: redisinsight-volume emptyDir: {} + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/redis-vector-db/values.yaml b/helm-charts/common/redis-vector-db/values.yaml index 57df5586..a776f0ee 100644 --- a/helm-charts/common/redis-vector-db/values.yaml +++ b/helm-charts/common/redis-vector-db/values.yaml @@ -21,6 +21,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/reranking-usvc/templates/deployment.yaml b/helm-charts/common/reranking-usvc/templates/deployment.yaml index 31a03fdc..41d7a22c 100644 --- a/helm-charts/common/reranking-usvc/templates/deployment.yaml +++ b/helm-charts/common/reranking-usvc/templates/deployment.yaml @@ -52,8 +52,14 @@ spec: - name: reranking-usvc containerPort: {{ .Values.service.targetPort }} protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/reranking-usvc/values.yaml b/helm-charts/common/reranking-usvc/values.yaml index 4dd10226..c642d526 100644 --- a/helm-charts/common/reranking-usvc/values.yaml +++ b/helm-charts/common/reranking-usvc/values.yaml @@ -24,6 +24,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/retriever-usvc/templates/deployment.yaml b/helm-charts/common/retriever-usvc/templates/deployment.yaml index 9fd198d1..77f78f86 100644 --- a/helm-charts/common/retriever-usvc/templates/deployment.yaml +++ b/helm-charts/common/retriever-usvc/templates/deployment.yaml @@ -36,6 +36,8 @@ spec: value: "redis://{{ .Release.Name }}-redis-vector-db:6379" - name: INDEX_NAME value: "rag-redis" + - name: EASYOCR_MODULE_PATH + value: "/tmp/.EasyOCR" - name: http_proxy value: {{ .Values.global.http_proxy }} - name: https_proxy @@ -48,6 +50,8 @@ spec: value: {{ .Values.global.LANGCHAIN_API_KEY }} - name: LANGCHAIN_PROJECT value: "opea-retriever-service" + - name: HF_HOME + value: "/tmp/.cache/huggingface" securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}" @@ -56,6 +60,9 @@ spec: - name: retriever-usvc containerPort: 7000 protocol: TCP + volumeMounts: + - mountPath: /tmp + name: tmp startupProbe: exec: command: @@ -74,6 +81,9 @@ spec: # port: 7000 resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/retriever-usvc/values.yaml b/helm-charts/common/retriever-usvc/values.yaml index 19bafeb0..df57f337 100644 --- a/helm-charts/common/retriever-usvc/values.yaml +++ b/helm-charts/common/retriever-usvc/values.yaml @@ -23,6 +23,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/tei/templates/deployment.yaml b/helm-charts/common/tei/templates/deployment.yaml index 784d86cb..3fe7b2ce 100644 --- a/helm-charts/common/tei/templates/deployment.yaml +++ b/helm-charts/common/tei/templates/deployment.yaml @@ -44,6 +44,8 @@ spec: value: /tmp - name: TRANSFORMERS_CACHE value: /tmp/transformers_cache + - name: HF_HOME + value: "/tmp/.cache/huggingface" securityContext: {{- if .Values.global.modelUseHostPath }} {} @@ -57,6 +59,8 @@ spec: name: model-volume - mountPath: /dev/shm name: shm + - mountPath: /tmp + name: tmp ports: - name: http containerPort: {{ .Values.port }} @@ -76,6 +80,8 @@ spec: emptyDir: medium: Memory sizeLimit: {{ .Values.shmSize }} + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/tei/values.yaml b/helm-charts/common/tei/values.yaml index acc1aebb..e392cc7d 100644 --- a/helm-charts/common/tei/values.yaml +++ b/helm-charts/common/tei/values.yaml @@ -26,6 +26,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/teirerank/templates/NOTES.txt b/helm-charts/common/teirerank/templates/NOTES.txt index d77167f5..943b0a56 100644 --- a/helm-charts/common/teirerank/templates/NOTES.txt +++ b/helm-charts/common/teirerank/templates/NOTES.txt @@ -13,7 +13,7 @@ {{- end }} 2. Use this command to verify teirerank service: - curl ${teirerank_svc_ip}/embed \ + curl ${teirerank_svc_ip}/rerank\ -X POST \ - -d '{"inputs":"What is Deep Learning?"}' \ + -d '{"query":"What is Deep Learning?", "texts": ["Deep Learning is not...", "Deep learning is..."]}' \ -H 'Content-Type: application/json' diff --git a/helm-charts/common/teirerank/templates/deployment.yaml b/helm-charts/common/teirerank/templates/deployment.yaml index 993e71ef..43d6fc2d 100644 --- a/helm-charts/common/teirerank/templates/deployment.yaml +++ b/helm-charts/common/teirerank/templates/deployment.yaml @@ -44,6 +44,8 @@ spec: value: /tmp - name: TRANSFORMERS_CACHE value: /tmp/transformers_cache + - name: HF_HOME + value: "/tmp/.cache/huggingface" securityContext: {{- if .Values.global.modelUseHostPath }} {} @@ -57,6 +59,8 @@ spec: name: model-volume - mountPath: /dev/shm name: shm + - mountPath: /tmp + name: tmp ports: - name: http containerPort: {{ .Values.port }} @@ -76,6 +80,8 @@ spec: emptyDir: medium: Memory sizeLimit: {{ .Values.shmSize }} + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/teirerank/values.yaml b/helm-charts/common/teirerank/values.yaml index 83e54aa5..77c00f4f 100644 --- a/helm-charts/common/teirerank/values.yaml +++ b/helm-charts/common/teirerank/values.yaml @@ -26,6 +26,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/tgi/gaudi-values.yaml b/helm-charts/common/tgi/gaudi-values.yaml index 48d67411..92d181fc 100644 --- a/helm-charts/common/tgi/gaudi-values.yaml +++ b/helm-charts/common/tgi/gaudi-values.yaml @@ -25,6 +25,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 diff --git a/helm-charts/common/tgi/templates/deployment.yaml b/helm-charts/common/tgi/templates/deployment.yaml index 75b24d2d..8d91285a 100644 --- a/helm-charts/common/tgi/templates/deployment.yaml +++ b/helm-charts/common/tgi/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: /tmp/numba_cache - name: TRANSFORMERS_CACHE value: /tmp/transformers_cache + - name: HF_HOME + value: "/tmp/.cache/huggingface" securityContext: {{- if .Values.global.modelUseHostPath }} {} @@ -61,6 +63,8 @@ spec: volumeMounts: - mountPath: /data name: model-volume + - mountPath: /tmp + name: tmp ports: - name: http containerPort: {{ .Values.port }} @@ -76,6 +80,8 @@ spec: {{- else }} emptyDir: {} {{- end }} + - name: tmp + emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/common/tgi/values.yaml b/helm-charts/common/tgi/values.yaml index 723f4b3f..7a6b6ef7 100644 --- a/helm-charts/common/tgi/values.yaml +++ b/helm-charts/common/tgi/values.yaml @@ -25,6 +25,7 @@ podSecurityContext: {} # fsGroup: 2000 securityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000