https://flyte.org logo
Powered by
#ask-the-community
Title
# ask-the-community
y

Yubo Wang

06/22/2023, 10:20 PM
hi team, when I run 
make compile
and 
./bin/flyte start --config flyte_local.yaml
to develop flyte locally, how can I specify the pod security context to allow container to run as root?
y

Yee

06/22/2023, 11:28 PM
isn’t this respected?
can you set it in your local yaml?
y

Yubo Wang

06/22/2023, 11:29 PM
in flyte_local.yaml? not sure how to do it
Copy code
propeller:
  rawoutput-prefix: "<ambry://flyte/>"
  kube-config: "/Users/yubwang/.kube/config"
  create-flyteworkflow-crd: true
webhook:
  certDir: /tmp/k8s-webhook-server/serving-certs
  serviceName: flyte-pod-webhook
  localCert: true
  servicePort: 9443
tasks:
  task-plugins:
    enabled-plugins:
      - container
      - sidecar
      - K8S-ARRAY
    default-for-task-types:
      - container: container
      - container_array: K8S-ARRAY
server:
  kube-config: "/Users/yubwang/.kube/config"
  httpPort: 30080
  serviceHttpEndpoint: <http://localhost:30080/>
  grpc:
    port: 30081
flyteadmin:
  runScheduler: false
  namespace_mapping:
    template: "flyte"
database:
  postgres:
    port: 30089
    username: postgres
    host: localhost
    dbname: flyteadmin
    options: "sslmode=disable"
storage:
  type: ambry
  connection:
    access-key: minio
    auth-type: accesskey
    secret-key: miniostorage
    disable-ssl: true
    endpoint: "<https://ambry-frontend-main.ambry-frontend.ei-ltx1.atd.stg.linkedin.com:3183>"
    region: my-region
  cache:
    max_size_mbs: 10
    target_gc_percent: 100
  container: "flyte"
Logger:
  show-source: true
  level: 5
admin:
  endpoint: localhost:30081
  insecure: true
plugins:
  # All k8s plugins default configuration
  k8s:
    inject-finalizer: true
    default-env-vars:
      - AWS_METADATA_SERVICE_TIMEOUT: 5
      - AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
      - FLYTE_AWS_ENDPOINT: "<http://minio.flyte:9000>"
      - FLYTE_AWS_ACCESS_KEY_ID: minio
      - FLYTE_AWS_SECRET_ACCESS_KEY: miniostorage
  # Logging configuration
  logs:
    kubernetes-enabled: true
    kubernetes-url: "<http://localhost:30082>"
cluster_resources:
  refreshInterval: 5m
  templatePath: "/etc/flyte/clusterresource/templates"
  # -- Starts the cluster resource manager in standalone mode with requisite auth credentials to call flyteadmin service endpoints
  standaloneDeployment: false
  customData:
  - production:
    - projectQuotaCpu:
        value: "8"
    - projectQuotaMemory:
        value: "16Gi"
  - staging:
    - projectQuotaCpu:
        value: "8"
    - projectQuotaMemory:
        value: "16Gi"
  - development:
    - projectQuotaCpu:
        value: "8"
    - projectQuotaMemory:
        value: "16Gi"
  refresh: 5m
flyte:
  admin:
    disableClusterResourceManager: true
    disableScheduler: true
  propeller:
    disableWebhook: true
task_resources:
  defaults:
    cpu: 500m
    memory: 1Gi
  limits:
    cpu: 2
    memory: 4Gi
    gpu: 5
catalog-cache:
  endpoint: localhost:8081
  insecure: true
  type: datacatalog
this is what I have right now
y

Yee

06/22/2023, 11:33 PM
under plugins/k8s
add 
default-pod-security-context
y

Yubo Wang

06/23/2023, 12:17 AM
interesting, that is not effective, I don’t see it being applied to the pod
Copy code
plugins:
  # All k8s plugins default configuration
  k8s:
    default-pod-security-context:
      run-as-user: 0
      allow-privilege-escalation: true
    inject-finalizer: true
    default-env-vars:
      - AWS_METADATA_SERVICE_TIMEOUT: 5
      - AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
      - FLYTE_AWS_ENDPOINT: "<http://minio.flyte:9000>"
      - FLYTE_AWS_ACCESS_KEY_ID: minio
      - FLYTE_AWS_SECRET_ACCESS_KEY: miniostorage
y

Yee

06/23/2023, 4:45 PM
oh sorry… can you try 
default-security-context
?
Powered by