Add securityContext to RayCluster based on Namespace labels

Author: ChristianZaccaria

config/rbac/role.yaml

@@ -14,6 +14,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

pkg/controllers/raycluster_webhook.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -46,6 +47,7 @@ var rayclusterlog = logf.Log.WithName("raycluster-resource")
 func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConfiguration) error {
 	rayClusterWebhookInstance := &rayClusterWebhook{
 		Config: cfg,
+		Client: mgr.GetClient(),
 	}
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&rayv1.RayCluster{}).
@@ -56,9 +58,11 @@ func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConf
 
 // +kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create,versions=v1,name=mraycluster.ray.openshift.ai,admissionReviewVersions=v1
 // +kubebuilder:webhook:path=/validate-ray-io-v1-raycluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=vraycluster.ray.openshift.ai,admissionReviewVersions=v1
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 
 type rayClusterWebhook struct {
 	Config *config.KubeRayConfiguration
+	Client client.Client
 }
 
 var _ webhook.CustomDefaulter = &rayClusterWebhook{}
@@ -123,6 +127,32 @@ func (w *rayClusterWebhook) Default(ctx context.Context, obj runtime.Object) err
 		}
 	}
 
+	hasSecurityLabels, err := namespaceHasSecurityLabels(ctx, w.Client, rayCluster.Namespace)
+	if err != nil {
+		rayclusterlog.Error(err, "Failed to check namespace resource labels")
+		return err
+	}
+	if hasSecurityLabels {
+		secureContext := corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.To(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
+		}
+		// Set the security context for the head container and worker containers
+		for i := range rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers {
+			rayCluster.Spec.HeadGroupSpec.Template.Spec.Containers[i].SecurityContext = &secureContext
+		}
+		for i := range rayCluster.Spec.WorkerGroupSpecs {
+			for j := range rayCluster.Spec.WorkerGroupSpecs[i].Template.Spec.Containers {
+				rayCluster.Spec.WorkerGroupSpecs[i].Template.Spec.Containers[j].SecurityContext = &secureContext
+			}
+		}
+	}
+
 	return nil
 }
 

pkg/controllers/support.go

@@ -1,15 +1,19 @@
 package controllers
 
 import (
+	"context"
+
 	rayv1 "github.com/ray-project/kuberay/ray-operator/apis/ray/v1"
 
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
 	networkingv1ac "k8s.io/client-go/applyconfigurations/networking/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	routeapply "github.com/openshift/client-go/route/applyconfigurations/route/v1"
 )
@@ -156,3 +160,15 @@ func withEnvVarName(name string) compare[corev1.EnvVar] {
 		return e1.Name == name
 	}
 }
+
+func namespaceHasSecurityLabels(ctx context.Context, kubeClient client.Client, namespaceName string) (bool, error) {
+	namespace := &corev1.Namespace{}
+	if err := kubeClient.Get(ctx, client.ObjectKey{Name: namespaceName}, namespace); err != nil {
+		return false, err
+	}
+	labelSelector := labels.SelectorFromSet(labels.Set{
+		"pod-security.kubernetes.io/enforce":         "restricted",
+		"pod-security.kubernetes.io/enforce-version": "v1.24",
+	})
+	return labelSelector.Matches(labels.Set(namespace.Labels)), nil
+}