Provide writable directories by default (#67)

* Mount scratch space to /tmp and /home/prefect by default, and configure the container working directory and HOME directory accordingly * Add documentation for different installation options (default fully-unprivileged, running as root, and running in OpenShift)
PrefectHQ · Oct 5, 2022 · bf577f1 · bf577f1
1 parent 9fefaa9
commit bf577f1
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 10 deletions.
diff --git a/Readme.md b/Readme.md
@@ -132,6 +132,41 @@ Development versions of the Helm chart will always be available directly from th
 
 See comments in `values.yaml`.
 
+### Security Context
+
+By default, the agent and server run as an unprivileged user with a read-only root filesystem. You can customize the security context settings for both the agent and server in the `values.yaml` file for your use case.
+
+If you need to install system packages or configure other settings at runtime, you can configure a writable filesystem and run as root by configuring the pod and container security context accordingly:
+
+```yaml
+  podSecurityContext:
+    runAsUser: 0
+    runAsNonRoot: false
+    fsGroup: 0
+
+  containerSecurityContext:
+    runAsUser: 0
+    # this must be false, since we are running as root
+    runAsNonRoot: false
+    # make the filesystem writable
+    readOnlyRootFilesystem: false
+    # this must be false, since we are running as root
+    allowPrivilegeEscalation: false
+```
+
+If you are running in OpenShift, the default `restricted` security context constraint will prevent customization of the user. In this case, explicitly configure the `runAsUser` settings to `null` to use OpenShift-assigned settings:
+
+```yaml
+  podSecurityContext:
+    runAsUser: null
+    fsGroup: null
+
+  containerSecurityContext:
+    runAsUser: null
+```
+
+The other default settings, such as a read-only root filesystem, are suitable for an OpenShift environment.
+
 ## Troubleshooting
 
 ### The database deploys correctly but other services fail with "bad password"

diff --git a/charts/prefect-agent/templates/deployment.yaml b/charts/prefect-agent/templates/deployment.yaml
@@ -53,7 +53,10 @@ spec:
           image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.prefectTag }}"
           imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
           command: ["prefect", "agent", "start", "-q", '{{ join "," .Values.agent.config.workQueues }}']
+          workingDir: /home/prefect
           env:
+            - name: HOME
+              value: /home/prefect
             - name: PREFECT_AGENT_PREFETCH_SECONDS
               value: {{ .Values.agent.config.prefetchSeconds | quote }}
             - name: PREFECT_AGENT_QUERY_INTERVAL
@@ -69,8 +72,6 @@ spec:
             {{- end }}
             - name: PREFECT_DEBUG_MODE
               value: {{ .Values.agent.image.debug | quote }}
-            - name: PREFECT_HOME
-              value: /opt/prefect
             {{- if .Values.agent.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.agent.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
@@ -90,8 +91,12 @@ spec:
           securityContext: {{- .Values.agent.containerSecurityContext | toYaml | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - mountPath: /opt/prefect/.prefect
-              name: agent-home
+            - mountPath: /home/prefect
+              name: scratch
+              subPathExpr: home
+            - mountPath: /tmp
+              name: scratch
+              subPathExpr: tmp
       volumes:
-        - name: agent-home
+        - name: scratch
           emptyDir: {}
diff --git a/charts/prefect-orion/templates/deployment.yaml b/charts/prefect-orion/templates/deployment.yaml
@@ -53,13 +53,14 @@ spec:
           image: "{{ .Values.orion.image.repository }}:{{ .Values.orion.image.prefectTag }}"
           imagePullPolicy: {{ .Values.orion.image.pullPolicy }}
           command: ["prefect", "orion", "start", "--host", "0.0.0.0", "--log-level", "WARNING", "--port", {{ .Values.service.port | quote }}]
+          workingDir: /home/prefect
           ports:
             - containerPort: {{ int .Values.service.port }}
           env:
+            - name: HOME
+              value: /home/prefect
             - name: PREFECT_DEBUG_MODE
               value: {{ .Values.orion.image.debug | quote }}
-            - name: PREFECT_HOME
-              value: /opt/prefect
             {{- if .Values.postgresql.enabled }}
             - name: PREFECT_ORION_DATABASE_CONNECTION_URL
               valueFrom:
@@ -86,8 +87,12 @@ spec:
           securityContext: {{- .Values.orion.containerSecurityContext | toYaml | nindent 12 }}
           {{- end }}
           volumeMounts:
-            - mountPath: /opt/prefect/.prefect
-              name: orion-home
+            - mountPath: /home/prefect
+              name: scratch
+              subPathExpr: home
+            - mountPath: /tmp
+              name: scratch
+              subPathExpr: tmp
       volumes:
-        - name: orion-home
+        - name: scratch
           emptyDir: {}