Skip to content

kserve: set storage initializer security context#3527

Draft
danish9039 wants to merge 1 commit into
kubeflow:masterfrom
danish9039:pr3487/kserve-storageinitializer-pss
Draft

kserve: set storage initializer security context#3527
danish9039 wants to merge 1 commit into
kubeflow:masterfrom
danish9039:pr3487/kserve-storageinitializer-pss

Conversation

@danish9039

Copy link
Copy Markdown
Member

Pull Request Template for Kubeflow Manifests

Summary of Changes

This PR adds a Kubeflow manifests-side Kustomize patch for ClusterStorageContainer/default so the KServe storage initializer container has a restricted-PSS compatible securityContext.

The patch sets:

  • allowPrivilegeEscalation: false
  • capabilities.drop: [ALL]
  • runAsNonRoot: true
  • runAsUser: 1000
  • seccompProfile.type: RuntimeDefault

It does not edit generated upstream KServe bundle files and does not change test scripts.

Dependencies

Related to #3487. After this lands and is consumed by #3487, the temporary runtime kubectl patch clusterstoragecontainer default in #3487 can be removed.

Related Issues

Related to #3487.

Contributor Checklist

  • I have tested these changes with kustomize. See Installation Prerequisites.
  • All commits are signed-off to satisfy the DCO check.
  • I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

Validation:

  • kustomize build applications/kserve/kserve
  • rendered ClusterStorageContainer/default securityContext assertion
  • git diff --check

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Copilot AI review requested due to automatic review settings July 4, 2026 20:13
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

Welcome to the Kubeflow Community Distribution Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronized from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/community-distribution to test the platform integration.

Community Resources:

Thanks again for helping to improve Kubeflow.

@google-oss-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yuzisun for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds a Kustomize strategic-merge patch in the Kubeflow KServe overlay to apply a Pod Security Standards (restricted) compatible securityContext to the KServe storage initializer definition (ClusterStorageContainer/default), without modifying synchronized upstream bundle files.

Changes:

  • Add a new Kustomize patch targeting serving.kserve.io/v1alpha1 ClusterStorageContainer/default.
  • Set a restricted-PSS aligned securityContext on spec.container (no privilege escalation, drop all capabilities, non-root user, RuntimeDefault seccomp).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants