Skip to content

Change job's user ID to fix SCC violation #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Change job's user ID to fix SCC violation #318

wants to merge 1 commit into from

Conversation

ruivieira
Copy link
Member

Refers to RHOAIENG-13846.

The pod is trying to run with a runAsUser UID of 1001030000, which is outside the allowed UID ranges specified by the Security Context Constraints available to the pod's service account.

This PR sets it to a UID within the allowed range [1000840000, 1000849999].

@ruivieira ruivieira added kind/bug Something isn't working lm-eval Issues related to LM-Eval labels Oct 13, 2024
@ruivieira ruivieira requested a review from yhwang October 13, 2024 18:25
@ruivieira ruivieira self-assigned this Oct 13, 2024
@ruivieira ruivieira linked an issue Oct 13, 2024 that may be closed by this pull request
LMEvalJob pods crash do to SCC conflict with the initContainer #308
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 13, 2024
edited
Loading

PR image build and manifest generation completed successfully!

📦 PR image: quay.io/trustyai/trustyai-service-operator-ci:6cbe93c6711d40e8b6f531e670885c45988d28b8

📦 LMES driver image: quay.io/trustyai/ta-lmes-driver:6cbe93c6711d40e8b6f531e670885c45988d28b8

📦 LMES job image: quay.io/trustyai/ta-lmes-job:6cbe93c6711d40e8b6f531e670885c45988d28b8

🗂️ CI manifests

@openshift-ci openshift-ci bot added the lgtm label Oct 14, 2024
yhwang
yhwang approved these changes Oct 14, 2024
View reviewed changes
Copy link
Collaborator

@yhwang yhwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

one thought is: should the value be configurable or auto-detect based on the namespace's info of the job. Or if it could be removed. We can create a discussion issue for that.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 14, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RobGeada, yhwang

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ruivieira
Copy link
Member Author

@yhwang I've removed the user id in #322 and in my testing it works fine. Letting OpenShift automatically assign the user id (based on SCC and the relevant namespace range) seems to be enough.

We can move any discussion to #322, but in the meantime I'm closing this PR.

@ruivieira ruivieira closed this Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yhwang yhwang yhwang approved these changes

@RobGeada RobGeada RobGeada approved these changes

Assignees

@ruivieira ruivieira

@yhwang yhwang

@RobGeada RobGeada

Labels
kind/bug Something isn't working lgtm lm-eval Issues related to LM-Eval ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LMEvalJob pods crash do to SCC conflict with the initContainer
3 participants
@ruivieira @yhwang @RobGeada