feat(deployment): update and secure metacontroller (#6537)

* Update stateful-set.yaml * Update kustomization.yaml * Update composite-controller.yaml
kubeflow · Sep 14, 2021 · 5c5f210 · 5c5f210
1 parent 5d82fa7
commit 5c5f210
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 25 deletions.
diff --git a/...kustomize/base/installs/multi-user/pipelines-profile-controller/composite-controller.yaml b/...kustomize/base/installs/multi-user/pipelines-profile-controller/composite-controller.yaml
@@ -1,13 +1,18 @@
+# Change resyncPeriodSeconds to 1 hour from insane 20 seconds  
+# Only  sync namespaces with pipelines.kubeflow.org/enabled = "true"
 apiVersion: metacontroller.k8s.io/v1alpha1
 kind: CompositeController
 metadata:
   name: kubeflow-pipelines-profile-controller
 spec:
   generateSelector: true
-  resyncPeriodSeconds: 10
+  resyncPeriodSeconds: 3600
   parentResource:
     apiVersion: v1
     resource: namespaces
+    labelSelector:
+      matchLabels:
+        pipelines.kubeflow.org/enabled = "true"
   childResources:
   - apiVersion: v1
     resource: secrets

diff --git a/manifests/kustomize/third-party/metacontroller/base/kustomization.yaml b/manifests/kustomize/third-party/metacontroller/base/kustomization.yaml
@@ -8,7 +8,3 @@ resources:
 - stateful-set.yaml
 commonLabels:
   kustomize.component: metacontroller
-images:
-- name: metacontroller/metacontroller
-  newName: metacontroller/metacontroller
-  newTag: v0.3.0
diff --git a/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml b/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml
@@ -18,26 +18,28 @@ spec:
         sidecar.istio.io/inject: "false"
     spec:
       containers:
-      - command:
-        - /usr/bin/metacontroller
-        - --logtostderr
-        - -v=4
-        - --discovery-interval=20s
-        image: metacontroller/metacontroller:v0.3.0
-        imagePullPolicy: Always
-        name: metacontroller
-        ports:
-        - containerPort: 2345
-        resources:
-          limits:
-            cpu: "4"
-            memory: 4Gi
-          requests:
-            cpu: 500m
-            memory: 1Gi
-        securityContext:
-          allowPrivilegeEscalation: true
-          privileged: true
+        - resources:
+            limits:
+              cpu: '1'
+              memory: 1Gi
+            requests:
+              cpu: 100m
+              memory: 256Mi
+          command:
+            - /usr/bin/metacontroller
+            - --zap-log-level=4
+            - '--discovery-interval=3600s' # less insane than 10 seconds
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            privileged: false
+            allowPrivilegeEscalation: false
+          name: metacontroller
+          image: 'docker.io/metacontrollerio/metacontroller:v2.0.4'
       serviceAccountName: meta-controller-service
   # Workaround for https://github.com/kubernetes-sigs/kustomize/issues/677
   volumeClaimTemplates: []