Flyte-core define pod and container securityContext

[ddl-ebrown]

Like #4785 does for the agent, this defines the security context for flyte-core pods / containers.

• Define secure defaults for all pod / container specs:

  • runAsNonRoot: true
  • capabilities: drop: ['ALL']
  • allowPrivilegeEscalation: false
  • seLinuxOptions: type: spc_t

  This is required in many locations where policy enforcement agents
  may be installed (like OPA Gatekeeper) which may otherwise prevent
  deployments from launching.

  The hard work of making sure the containers run as non-0 uids seems
  to have already been done given all containers are already specifying
  a runAsUser value of 1000 or 1001, so this should hopefully just be a
  little more hardening around restricting kernel permissions /
  enforcement within the container runtime.

  These are generally considered standard / secure default settings and
  are not currently made configurable given these services are all
  owned by Flyte

Tracking issue

https://github.com/flyteorg/flyte/issues/

Why are the changes needed?

What changes were proposed in this pull request?

How was this patch tested?

In local testing, all pods seem to be behaving correctly with these additional restrictions

Setup process

Screenshots

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (4223a83) 58.98% compared to head (a3ffa89) 59.73%.
Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4809      +/-   ##
==========================================
+ Coverage   58.98%   59.73%   +0.74%     
==========================================
  Files         644      644              
  Lines       55146    49161    -5985     
==========================================
- Hits        32529    29364    -3165     
+ Misses      20043    17223    -2820     
  Partials     2574     2574              

Flag	Coverage Δ
unittests	59.58% <ø> (+0.60%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[davidmirror-ops]

This one looks very interesting. @ddl-ebrown have you already deployed the chart with these settings?

[ddl-ebrown]

We have and everything starts ok BUT we haven't yet validated everything works ok. We'll be doing that this week and I'll follow up.

Unlike the agent where you've got a general purpose chart capable of deploying a bunch of different agents, you control all of the code in all of these services so I thought for now there's less of a need for these settings to be configurable.

I'm not sure what your integration test suites do, but if they exercise the majority of the Flyte features then that should be some signal that these changes are compatible

[davidmirror-ops]

Thank you!