extraPodConfig values do not get set

I’m trying to set:

singleuser:
  extraPodConfig:
    securityContext:
      fsGroupChangePolicy: "OnRootMismatch"

because my OpenStack K8s cluster with CephFS file shares requires this key, value to be set, but it just does not end up in the container when a new user starts a notebook, it always remains like this:

securityContext:                                                                                                              │
     allowPrivilegeEscalation: false                                                                                             
     runAsUser: 1000  

while I need:

securityContext:
      fsGroupChangePolicy: "OnRootMismatch"

Is this a bug or am I doing something wrong here?

I’m using version [2.0.0] (https://jupyterhub.github.io/helm-chart/jupyterhub-2.0.0.tgz), 09 September 2022 App Version 3.0.0.

Thanks for your help in advance.

Which version of Z2JH are you using?

Newest release 2.0.0. I saw that this setting has been subject to change for the hub itself, where you can set hub.podSecurityContext and hub.containerSecurityContext but when I need containers for users to have these values I’m right in using singelUser as there are no specific values for this in that section of the chart values?

I don’t know why

singleuser:
  extraPodConfig
    ...

isn’t working. Does it work with other properties? If you’ve got a test deployment could you try the latest dev Helm chart, and if it’s still not working please open a bug report with your configuration and the dev version you tested.

In addition to that there’s a couple of other way you could set that property. Previously every configuration property had to have it’s own corresponding property in the Helm chart. As the number of properties increased it became difficult to keep everything up to date, so for other properties you can set them either using hub.config or hub.extraConfig.

The full list of KubeSpawner config properties is in KubeSpawner — Kubespawner
For example, you could try

hub:
  config:
    KubeSpawner:
      container_security_context:
        ...
      pod_security_context:
        ...

I’ve now tried the same with the newest dev helm chart, also without any luck. I created a bug report: `singleuser: extraPodConfig:` does not get set by the helm chart · Issue #3021 · jupyterhub/zero-to-jupyterhub-k8s · GitHub

Regarding the second approach I’ve tried the following, also without success:

config:
    KubeSpawner:
      pod_security_context:
        fsGroupChangePolicy: "OnRootMismatch"

or:

extraConfig:
    00-first-config: |
      c.KubeSpawner.pod_security_context.update({'fsGroupChangePolicy': 'OnRootMismatch'})

but I’m not sure my syntax is correct. Would greatly appreciate it if you could correct me in case it is wrong.

Also, I was wondering if hub: is the correct place for this setting, as I need the securityContext for singelUsers: changed, so user pods/containers have that value set.

Thanks!

Just checking, you’re using hub.config/hub.extraConfig, and not putting those at the top level?

hub:
  config:
    KubeSpawner:
      ...

is the correct place. Singleuser containers are managed by the hub, and since the hub creates the Pod specification for those containers it has to manage their configuration.

The singleuser: section of the Helm Chart makes it easier to configure some things, but ultimately most of it is translated into KubeSpawner configuration options.

Yes, sorry that was not clear from my code. I’m putting them under hub:, so in the right place?

Any update to this? I have been unable to successfully set the fsGroupChangePolicy and have the pod see the setting.

@goseind did you get this working?

@wiegerthefarmer Sorry for the late reply. The issue still persists and I haven’t gotten around to finding a solution yet.
Maybe @manics can confirm that the code is correct, and then I can do some more debugging and try to find a solution.