Configure spawned notebook policy in PSS enforced kubernetes environment

JupyterHub
,
1

Hello,

I’m facing an issue with a deployed z2jh helm chart running in a cluster that apply restricted policy PSS/PSP.
I’ve added necessary security context to helm values for the hub the hub and the proxy, it works fine :

    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

I’m stuck with the spawned notebook since the helm values doesn’t provide a way to apply same container security contexts (the drop all capabilities). I’ve try to add it through extraPodConfig with no luck :

    extraPodConfig:
      enableServiceLinks: false
      containers:
      - name: notebook
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault

Is there another way to apply this container security context to the spwaned notebooks ?

Thanks for your help

2

You can use KubeSpawner.modify_pod_hook to apply arbitrary modifications after KubeSpawner is done creating its pod spec, before submitting it to kubernetes. I’m not sure if this is required to accomplish your goal, but it should make it possible, at least.

3

Additionally, you may consider extraPodConfig values do not get set - #4 by manics

...
  hub:
...
    config:
...
      KubeSpawner:
        container_security_context:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault