diff --git a/.github/resources/manifests/base/driver-plugin-cm-path.yaml b/.github/resources/manifests/base/driver-plugin-cm-path.yaml new file mode 100644 index 00000000000..7da2bdd54b4 --- /dev/null +++ b/.github/resources/manifests/base/driver-plugin-cm-path.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-driver-agent +data: + sidecar.container: | + name: driver-plugin + image: kind-registry:5000/driver:latest + imagePullPolicy: IfNotPresent + env: + - name: LOG_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: LOG_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + ports: + - containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: var-run-argo + mountPath: /kfp/log + readOnly: false diff --git a/.github/resources/manifests/kubernetes-native/default/kustomization.yaml b/.github/resources/manifests/kubernetes-native/default/kustomization.yaml index 20a754898c8..5000ca3a89a 100644 --- a/.github/resources/manifests/kubernetes-native/default/kustomization.yaml +++ b/.github/resources/manifests/kubernetes-native/default/kustomization.yaml @@ -42,6 +42,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/manifests/multiuser/artifact-proxy/kustomization.yaml b/.github/resources/manifests/multiuser/artifact-proxy/kustomization.yaml index fbc76e27771..d9ec52a14f8 100644 --- a/.github/resources/manifests/multiuser/artifact-proxy/kustomization.yaml +++ b/.github/resources/manifests/multiuser/artifact-proxy/kustomization.yaml @@ -46,6 +46,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/manifests/multiuser/cache-disabled/kustomization.yaml b/.github/resources/manifests/multiuser/cache-disabled/kustomization.yaml index ce8d85bcc36..02460224067 100644 --- a/.github/resources/manifests/multiuser/cache-disabled/kustomization.yaml +++ b/.github/resources/manifests/multiuser/cache-disabled/kustomization.yaml @@ -46,6 +46,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: cache-env.yaml target: kind: Deployment diff --git a/.github/resources/manifests/multiuser/default/kustomization.yaml b/.github/resources/manifests/multiuser/default/kustomization.yaml index 7151c53b506..cb3ae9d55ed 100644 --- a/.github/resources/manifests/multiuser/default/kustomization.yaml +++ b/.github/resources/manifests/multiuser/default/kustomization.yaml @@ -46,6 +46,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/manifests/standalone/cache-disabled-proxy/kustomization.yaml b/.github/resources/manifests/standalone/cache-disabled-proxy/kustomization.yaml index 3e41d8ee530..f8950444cf1 100644 --- a/.github/resources/manifests/standalone/cache-disabled-proxy/kustomization.yaml +++ b/.github/resources/manifests/standalone/cache-disabled-proxy/kustomization.yaml @@ -9,3 +9,7 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent diff --git a/.github/resources/manifests/standalone/cache-disabled/kustomization.yaml b/.github/resources/manifests/standalone/cache-disabled/kustomization.yaml index 9f6c63ef1e4..cc67d29b189 100644 --- a/.github/resources/manifests/standalone/cache-disabled/kustomization.yaml +++ b/.github/resources/manifests/standalone/cache-disabled/kustomization.yaml @@ -42,6 +42,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: cache-env.yaml target: kind: Deployment diff --git a/.github/resources/manifests/standalone/default/kustomization.yaml b/.github/resources/manifests/standalone/default/kustomization.yaml index 8572e632121..318abe08741 100644 --- a/.github/resources/manifests/standalone/default/kustomization.yaml +++ b/.github/resources/manifests/standalone/default/kustomization.yaml @@ -42,6 +42,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/manifests/standalone/proxy/kustomization.yaml b/.github/resources/manifests/standalone/proxy/kustomization.yaml index 4d432795d1e..fac247137b3 100644 --- a/.github/resources/manifests/standalone/proxy/kustomization.yaml +++ b/.github/resources/manifests/standalone/proxy/kustomization.yaml @@ -46,6 +46,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: ../../base/driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/manifests/standalone/tls-enabled/driver-plugin-cm-path.yaml b/.github/resources/manifests/standalone/tls-enabled/driver-plugin-cm-path.yaml new file mode 100644 index 00000000000..a37f6be0df6 --- /dev/null +++ b/.github/resources/manifests/standalone/tls-enabled/driver-plugin-cm-path.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-driver-agent +data: + sidecar.container: | + name: driver-plugin + image: kind-registry:5000/driver:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + env: + - name: LOG_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: LOG_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: argo-workflows-agent-ca-certificates + mountPath: /kfp/certs + readOnly: true + - name: var-run-argo + mountPath: /kfp/log + readOnly: false diff --git a/.github/resources/manifests/standalone/tls-enabled/kustomization.yaml b/.github/resources/manifests/standalone/tls-enabled/kustomization.yaml index f7dba7acc6e..551b163214a 100644 --- a/.github/resources/manifests/standalone/tls-enabled/kustomization.yaml +++ b/.github/resources/manifests/standalone/tls-enabled/kustomization.yaml @@ -46,6 +46,10 @@ patches: target: kind: Deployment name: ml-pipeline + - path: driver-plugin-cm-path.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: ../../base/grpc-specs.yaml target: kind: Deployment diff --git a/.github/resources/scripts/collect-logs.sh b/.github/resources/scripts/collect-logs.sh index 89ea75324b1..95f9e0ea9f2 100755 --- a/.github/resources/scripts/collect-logs.sh +++ b/.github/resources/scripts/collect-logs.sh @@ -29,6 +29,15 @@ function check_namespace { return 0 } +function describe_argo_workflows { + local NAMESPACE=$1 + echo "===== Argo Workflows list =====" + kubectl describe wf -n "${NAMESPACE}" + echo "===== Argo Workflows data =====" + kubectl get events -n "${NAMESPACE}" --field-selector involvedObject.kind=Workflow --sort-by='.metadata.creationTimestamp' + echo "===============================" +} + function display_pod_info { local NAMESPACE=$1 @@ -52,7 +61,13 @@ function display_pod_info { kubectl describe pod "${POD_NAME}" -n "${NAMESPACE}" | grep -A 100 Events || echo "No events found for pod ${POD_NAME}." echo "----- LOGS -----" - kubectl logs "${POD_NAME}" -n "${NAMESPACE}" || echo "No logs found for pod ${POD_NAME}." + if [[ "${POD_NAME}" == *-agent* ]]; then + kubectl logs "${POD_NAME}" -n "${NAMESPACE}" -c driver-plugin || \ + echo "No logs found for pod ${POD_NAME}." + else + kubectl logs "${POD_NAME}" -n "${NAMESPACE}" || \ + echo "No logs found for pod ${POD_NAME}." + fi echo "===========================" echo "" @@ -64,6 +79,7 @@ function display_pod_info { if check_namespace "$NS"; then display_pod_info "$NS" + describe_argo_workflows "$NS" else exit 0 fi diff --git a/.github/resources/scripts/kfp-readiness/wait_for_pods.py b/.github/resources/scripts/kfp-readiness/wait_for_pods.py index fc67d5fda0e..fc604586585 100644 --- a/.github/resources/scripts/kfp-readiness/wait_for_pods.py +++ b/.github/resources/scripts/kfp-readiness/wait_for_pods.py @@ -30,7 +30,8 @@ def get_pod_statuses(): statuses = {} for pod in pods.items: pod_name = pod.metadata.name - if "system" not in pod_name: + # This filter is safe: 'ml-pipeline-persistenceagent-' will not be excluded and will be processed. + if not ("system" in pod_name or pod_name.endswith("-agent")): pod_status = pod.status.phase container_statuses = pod.status.container_statuses or [] ready = 0 diff --git a/.github/workflows/api-server-tests.yml b/.github/workflows/api-server-tests.yml index 423f82eafd5..db0659400fa 100644 --- a/.github/workflows/api-server-tests.yml +++ b/.github/workflows/api-server-tests.yml @@ -111,7 +111,7 @@ jobs: shell: bash if: ${{ matrix.pod_to_pod_tls_enabled == 'true'}} run: | - kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" + kubectl get secret argo-workflows-agent-ca-certificates -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> "$GITHUB_ENV" diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 6a2bfdeed2a..e216cba41de 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -115,7 +115,7 @@ jobs: shell: bash if: ${{ matrix.pod_to_pod_tls_enabled == 'true'}} run: | - kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" + kubectl get secret argo-workflows-agent-ca-certificates -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> "$GITHUB_ENV" - name: Configure Input Variables shell: bash diff --git a/.github/workflows/legacy-v2-api-integration-tests.yml b/.github/workflows/legacy-v2-api-integration-tests.yml index 1551dd0e27f..e3aea45d02c 100644 --- a/.github/workflows/legacy-v2-api-integration-tests.yml +++ b/.github/workflows/legacy-v2-api-integration-tests.yml @@ -79,7 +79,7 @@ jobs: shell: bash if: ${{ matrix.pod_to_pod_tls_enabled == 'true' }} run: | - kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" + kubectl get secret argo-workflows-agent-ca-certificates -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt" echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> "$GITHUB_ENV" - name: Forward MLMD port diff --git a/backend/Dockerfile.driver b/backend/Dockerfile.driver index d68c1fe1369..a813204a77d 100644 --- a/backend/Dockerfile.driver +++ b/backend/Dockerfile.driver @@ -27,7 +27,7 @@ RUN GO111MODULE=on go mod download COPY . . -RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux go build -tags netgo -gcflags="${GCFLAGS}" -ldflags '-extldflags "-static"' -o /bin/driver ./backend/src/v2/cmd/driver/*.go +RUN GO111MODULE=on CGO_ENABLED=0 GOOS=linux go build -tags netgo -gcflags="${GCFLAGS}" -ldflags '-extldflags "-static"' -o /bin/driver ./backend/src/driver/*.go FROM alpine:3.21 diff --git a/backend/src/common/util/context_logger.go b/backend/src/common/util/context_logger.go new file mode 100644 index 00000000000..0240e819dde --- /dev/null +++ b/backend/src/common/util/context_logger.go @@ -0,0 +1,73 @@ +package util + +import ( + "context" + "fmt" + "io" + "os" + + "github.com/sirupsen/logrus" +) + +type CtxKey string + +const ( + contextLoggerKey CtxKey = "driver_log_key" +) + +func newFileLogger(logFile string) (*logrus.Logger, io.Closer, error) { + f, err := os.Create(logFile) + if err != nil { + return nil, nil, err + } + + logger := logrus.New() + logger.Out = io.MultiWriter(os.Stdout, f) + logger.Formatter = &logrus.TextFormatter{} + return logger, f, nil +} + +// WithExistingLogger For testing only +func WithExistingLogger(ctx context.Context, logger *logrus.Logger) context.Context { + return context.WithValue(ctx, contextLoggerKey, logger) +} + +func WithLogger(ctx context.Context, logFile string) (context.Context, io.Closer, error) { + if ctx == nil { + return nil, nil, fmt.Errorf( + "error during creation of the logger for logId: %v. ctx can not be nil", + logFile, + ) + } + + if GetLoggerFrom(ctx) != nil { + return nil, nil, fmt.Errorf("logger already exists in context") + } + + logger, f, err := newFileLogger(logFile) + if err != nil { + return nil, nil, fmt.Errorf( + "error during creation of the logger for logId: %v details: %w", + logFile, + err, + ) + } + + ctx = context.WithValue(ctx, contextLoggerKey, logger) + + return ctx, f, nil +} + +func GetLoggerFrom(ctx context.Context) *logrus.Logger { + v := ctx.Value(contextLoggerKey) + if v == nil { + return nil + } + + logger, ok := v.(*logrus.Logger) + if !ok { + return nil + } + + return logger +} diff --git a/backend/src/driver/api/request.go b/backend/src/driver/api/request.go new file mode 100644 index 00000000000..11942b1cbd4 --- /dev/null +++ b/backend/src/driver/api/request.go @@ -0,0 +1,69 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package api provides HTTP DTOs used by the driver server. +package api + +type DriverPluginArgs struct { + CachedDecisionPath string `json:"cached_decision_path"` + Component string `json:"component,omitempty"` + Container string `json:"container,omitempty"` + DagExecutionID string `json:"dag_execution_id"` + IterationIndex string `json:"iteration_index"` + HTTPProxy string `json:"http_proxy"` + HTTPSProxy string `json:"https_proxy"` + NoProxy string `json:"no_proxy"` + KubernetesConfig string `json:"kubernetes_config,omitempty"` + RuntimeConfig string `json:"runtime_config,omitempty"` + PipelineName string `json:"pipeline_name"` + PublishLogs string `json:"publish_logs,omitempty"` + RunID string `json:"run_id"` + RunName string `json:"run_name"` + RunDisplayName string `json:"run_display_name"` + TaskName string `json:"task_name"` + Task string `json:"task"` + Type string `json:"type"` + CacheDisabledFlag bool `json:"cache_disabled"` + ExecutionIDPath string `json:"execution_id_path"` + IterationCountPath string `json:"iteration_count_path"` + ConditionPath string `json:"condition_path"` + PodSpecPatchPath string `json:"pod_spec_patch_path"` + MLMDServerAddress string `json:"mlmd_server_address"` + MLMDServerPort string `json:"mlmd_server_port"` + MlPipelineServerAddress string `json:"ml_pipeline_server_address"` + MlPipelineServerPort string `json:"ml_pipeline_server_port"` + MlPipelineTLSEnabled bool `json:"ml_pipeline_tls_enabled"` + MetadataTLSEnabled bool `json:"metadata_tls_enabled"` + CACertPath string `json:"ca_cert_path"` + LogLevel string `json:"log_level"` + DefaultRunAsUser *int64 `json:"default_run_as_user,omitempty"` + DefaultRunAsGroup *int64 `json:"default_run_as_group,omitempty"` + DefaultRunAsNonRoot string `json:"default_run_as_non_root,omitempty"` +} + +type DriverPlugin struct { + DriverPlugin *DriverPluginContainer `json:"driver-plugin"` +} + +type DriverPluginContainer struct { + Args *DriverPluginArgs `json:"args"` +} + +type DriverTemplate struct { + Plugin *DriverPlugin `json:"plugin"` +} + +type DriverRequest struct { + Template *DriverTemplate `json:"template"` +} diff --git a/backend/src/driver/api/response.go b/backend/src/driver/api/response.go new file mode 100644 index 00000000000..d2f63e9b9a8 --- /dev/null +++ b/backend/src/driver/api/response.go @@ -0,0 +1,34 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package api + +type DriverResponse struct { + Node Node `json:"node"` +} + +type Node struct { + Phase string `json:"phase"` + Outputs Outputs `json:"outputs"` + Message string `json:"message"` +} + +type Outputs struct { + Parameters []Parameter `json:"parameters"` +} + +type Parameter struct { + Name string `json:"name"` + Value string `json:"value"` +} diff --git a/backend/src/driver/execution_paths.go b/backend/src/driver/execution_paths.go new file mode 100644 index 00000000000..20dd6bb1d9e --- /dev/null +++ b/backend/src/driver/execution_paths.go @@ -0,0 +1,23 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +type ExecutionPaths struct { + ExecutionID string + IterationCount string + CachedDecision string + Condition string + PodSpecPatch string +} diff --git a/backend/src/driver/main.go b/backend/src/driver/main.go new file mode 100644 index 00000000000..877b5e06532 --- /dev/null +++ b/backend/src/driver/main.go @@ -0,0 +1,169 @@ +// Copyright 2021-2023 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "bytes" + "crypto/tls" + "encoding/json" + "flag" + "fmt" + "net/http" + + "google.golang.org/protobuf/encoding/protojson" + + "github.com/kubeflow/pipelines/backend/src/common/util" + + "os" + "path/filepath" + "strconv" + + "github.com/golang/glog" + "github.com/kubeflow/pipelines/backend/src/v2/driver" + "github.com/kubeflow/pipelines/backend/src/v2/metadata" + "github.com/kubeflow/pipelines/kubernetes_platform/go/kubernetesplatform" +) + +const ( + unsetProxyArgValue = "unset" + RootDag = "ROOT_DAG" + DAG = "DAG" + CONTAINER = "CONTAINER" +) + +var ( + logLevel = flag.String("log_level", "1", "The verbosity level to log.") + serverPort = flag.String("server_port", ":8080", "Server port") +) + +func main() { + flag.Parse() + + glog.Infof("Setting log level to: '%s'", *logLevel) + err := flag.Set("v", *logLevel) + if err != nil { + glog.Warningf("Failed to set log level: %s", err.Error()) + } + + http.HandleFunc("/api/v1/template.execute", ExecutePlugin) + glog.Infof("Server started at http://localhost%v", *serverPort) + err = http.ListenAndServe(*serverPort, nil) + if err != nil { + glog.Warningf("Failed to start http server: %s", err.Error()) + } +} + +// Use WARNING default logging level to facilitate troubleshooting. +func init() { + flag.Set("logtostderr", "true") + // Change the WARNING to INFO level for debugging. + flag.Set("stderrthreshold", "WARNING") +} + +func parseExecConfigJSON(k8sExecConfigJSON *string) (*kubernetesplatform.KubernetesExecutorConfig, error) { + var k8sExecCfg *kubernetesplatform.KubernetesExecutorConfig + if *k8sExecConfigJSON != "" { + k8sExecCfg = &kubernetesplatform.KubernetesExecutorConfig{} + if err := util.UnmarshalString(*k8sExecConfigJSON, k8sExecCfg); err != nil { + return nil, fmt.Errorf("failed to unmarshal Kubernetes config, error: %w\nKubernetesConfig: %v", err, k8sExecConfigJSON) + } + } + return k8sExecCfg, nil +} + +func handleExecution(execution *driver.Execution, driverType string, executionPaths *ExecutionPaths) error { + if execution.ID != 0 { + glog.Infof("output execution.ID=%v", execution.ID) + if executionPaths.ExecutionID != "" { + if err := writeFile(executionPaths.ExecutionID, []byte(fmt.Sprint(execution.ID))); err != nil { + return fmt.Errorf("failed to write execution ID to file: %w", err) + } + } + } + if execution.IterationCount != nil { + if err := writeFile(executionPaths.IterationCount, []byte(fmt.Sprintf("%v", *execution.IterationCount))); err != nil { + return fmt.Errorf("failed to write iteration count to file: %w", err) + } + } else { + if driverType == RootDag { + if err := writeFile(executionPaths.IterationCount, []byte("0")); err != nil { + return fmt.Errorf("failed to write iteration count to file: %w", err) + } + } + } + if execution.Cached != nil { + if err := writeFile(executionPaths.CachedDecision, []byte(strconv.FormatBool(*execution.Cached))); err != nil { + return fmt.Errorf("failed to write cached decision to file: %w", err) + } + } + if execution.Condition != nil { + if err := writeFile(executionPaths.Condition, []byte(strconv.FormatBool(*execution.Condition))); err != nil { + return fmt.Errorf("failed to write condition to file: %w", err) + } + } else { + // nil is a valid value for Condition + if driverType == RootDag || driverType == CONTAINER { + if err := writeFile(executionPaths.Condition, []byte("nil")); err != nil { + return fmt.Errorf("failed to write condition to file: %w", err) + } + } + } + if execution.PodSpecPatch != "" { + glog.Infof("output podSpecPatch=\n%s\n", execution.PodSpecPatch) + if executionPaths.PodSpecPatch == "" { + return fmt.Errorf("--pod_spec_patch_path is required for container executor drivers") + } + if err := writeFile(executionPaths.PodSpecPatch, []byte(execution.PodSpecPatch)); err != nil { + return fmt.Errorf("failed to write pod spec patch to file: %w", err) + } + } + if execution.ExecutorInput != nil { + executorInputBytes, err := protojson.Marshal(execution.ExecutorInput) + if err != nil { + return fmt.Errorf("failed to marshal ExecutorInput to JSON: %w", err) + } + executorInputJSON := string(executorInputBytes) + glog.Infof("output ExecutorInput:%s\n", prettyPrint(executorInputJSON)) + } + return nil +} + +func prettyPrint(jsonStr string) string { + var prettyJSON bytes.Buffer + err := json.Indent(&prettyJSON, []byte(jsonStr), "", " ") + if err != nil { + return jsonStr + } + return prettyJSON.String() +} + +func writeFile(path string, data []byte) (err error) { + if path == "" { + return fmt.Errorf("path is not specified") + } + defer func() { + if err != nil { + err = fmt.Errorf("failed to write to %s: %w", path, err) + } + }() + if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { + return err + } + return os.WriteFile(path, data, 0o644) +} + +func newMlmdClient(mlmdServerAddress string, mlmdServerPort string, tlsCfg *tls.Config) (*metadata.Client, error) { + return metadata.NewClient(mlmdServerAddress, mlmdServerPort, tlsCfg) +} diff --git a/backend/src/v2/cmd/driver/main_test.go b/backend/src/driver/main_test.go similarity index 81% rename from backend/src/v2/cmd/driver/main_test.go rename to backend/src/driver/main_test.go index ad15a7b00e9..23355c0c94b 100644 --- a/backend/src/v2/cmd/driver/main_test.go +++ b/backend/src/driver/main_test.go @@ -1,3 +1,17 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -45,7 +59,7 @@ func TestSpecParsing(t *testing.T) { for _, tc := range tt { t.Logf("Running test case: %s", tc.name) - cfg, err := parseExecConfigJson(tc.input) + cfg, err := parseExecConfigJSON(tc.input) assert.Equal(t, tc.wantErr, err != nil) assert.True(t, proto.Equal(tc.expected, cfg)) } @@ -77,7 +91,7 @@ func Test_handleExecutionRootDAG(t *testing.T) { Condition: "condition.txt", } - err := handleExecution(execution, ROOT_DAG, executionPaths) + err := handleExecution(execution, RootDag, executionPaths) if err != nil { t.Errorf("Unexpected error: %v", err) diff --git a/backend/src/driver/rpc_handler.go b/backend/src/driver/rpc_handler.go new file mode 100644 index 00000000000..88ed2e3250b --- /dev/null +++ b/backend/src/driver/rpc_handler.go @@ -0,0 +1,463 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "context" + "crypto/tls" + "encoding/json" + "fmt" + "io" + "net/http" + "os" + "strconv" + "strings" + "time" + + "github.com/golang/glog" + "github.com/google/uuid" + "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" + "github.com/kubeflow/pipelines/backend/src/apiserver/config/proxy" + "github.com/kubeflow/pipelines/backend/src/common/util" + "github.com/kubeflow/pipelines/backend/src/driver/api" + "github.com/kubeflow/pipelines/backend/src/v2/cacheutils" + "github.com/kubeflow/pipelines/backend/src/v2/config" + "github.com/kubeflow/pipelines/backend/src/v2/driver" + "github.com/kubeflow/pipelines/backend/src/v2/metadata" + "github.com/kubeflow/pipelines/backend/src/v2/objectstore" + "google.golang.org/protobuf/encoding/protojson" + "k8s.io/client-go/kubernetes" +) + +type driverLogArtifactContext struct { + Execution *driver.Execution + Task string + LocalPath string + OutputPathPrefix string + Namespace string + PipelineRoot string + StoreSessionInfo string + LogID string +} + +func ExecutePlugin(w http.ResponseWriter, r *http.Request) { + defer func(Body io.ReadCloser) { + err := Body.Close() + if err != nil { + glog.Errorf("Error closing response body: %v", err) + } + }(r.Body) + + if r.Method != http.MethodPost { + http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) + return + } + glog.Infof("Received request to execute plugin: %v", r) + args, err := parseDriverRequestArgs(r) + if err != nil { + glog.Errorf("Failed to parse driver request args: %v", err) + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + if args == nil { + glog.Errorf("Failed to parse driver request args: nil") + http.Error(w, "Driver plugin requires at least one argument", http.StatusBadRequest) + return + } + execution, err := drive(*args) + outputs := extractOutputParameters(execution, args.Type) + if err != nil { + glog.Errorf("unable to drive execution: %v", err) + resp := api.DriverResponse{ + Node: api.Node{ + Phase: "Failed", + Outputs: api.Outputs{ + Parameters: outputs, + }, + Message: fmt.Sprintf("unable to drive execution: %v", err), + }, + } + WriteJSONResponse(w, resp) + return + } + if execution != nil && execution.ExecutorInput != nil { + executorInputBytes, err := protojson.Marshal(execution.ExecutorInput) + if err != nil { + WriteJSONResponse(w, api.DriverResponse{ + Node: api.Node{ + Phase: "Failed", + Outputs: api.Outputs{ + Parameters: outputs, + }, + Message: fmt.Sprintf("unable to drive execution: failed to marshal ExecutorInput to JSON: %v", err), + }, + }) + return + } + executorInputJSON := string(executorInputBytes) + glog.Infof("output ExecutorInput:%s\n", prettyPrint(executorInputJSON)) + } + resp := api.DriverResponse{ + Node: api.Node{ + Phase: "Succeeded", + Outputs: api.Outputs{ + Parameters: outputs, + }, + }, + } + WriteJSONResponse(w, resp) +} + +func parseDriverRequestArgs(r *http.Request) (*api.DriverPluginArgs, error) { + var body api.DriverRequest + if err := json.NewDecoder(r.Body).Decode(&body); err != nil { + return nil, fmt.Errorf("failed to parse driver request body: %v", err) + } + switch { + case body.Template == nil: + return nil, fmt.Errorf("driver request body.Template is empty") + case body.Template.Plugin == nil: + return nil, fmt.Errorf("driver request body.Template.Plugin is empty") + case body.Template.Plugin.DriverPlugin == nil: + return nil, fmt.Errorf("driver request body.Template.Plugin.DriverPlugin is empty") + case body.Template.Plugin.DriverPlugin.Args == nil: + return nil, fmt.Errorf("driver request body.Template.Plugin.Args is empty") + } + args := body.Template.Plugin.DriverPlugin.Args + if err := validate(*args); err != nil { + return nil, err + } + return body.Template.Plugin.DriverPlugin.Args, nil +} + +func drive(args api.DriverPluginArgs) (execution *driver.Execution, err error) { + defer func() { + if err != nil { + err = fmt.Errorf("KFP driver: %w", err) + } + }() + var ( + pipelineRoot string + storeSessionInfo string + namespace string + outputPathPrefix string + ) + var pipeline *metadata.Pipeline + logID := fmt.Sprintf("%d-%v-%v-%v", time.Now().UnixMilli(), args.IterationIndex, args.Type, args.TaskName) + logDir := "/kfp/log" + logFile := fmt.Sprintf("%s/%s.log", logDir, logID) + ctx, f, err := util.WithLogger(context.Background(), logFile) + if err != nil { + return nil, fmt.Errorf("failed to create driver logger: %v", err) + } + defer func() { + removeErr := os.Remove(logFile) + if removeErr != nil { + glog.Errorf("Failed to remove processed log file: %v", removeErr) + } + }() + defer func() { + if pipelineRoot != "" { + logContext := &driverLogArtifactContext{ + Execution: execution, + Task: args.TaskName, + LocalPath: logFile, + LogID: logID, + Namespace: namespace, + PipelineRoot: pipelineRoot, + StoreSessionInfo: storeSessionInfo, + OutputPathPrefix: outputPathPrefix, + } + uploadErr := uploadDriverLogArtifact(ctx, logContext) + if uploadErr != nil { + glog.Errorf("Failed to upload driver-logs artifact: %v", uploadErr) + } + } + }() + defer func() { + if f != nil { + closeErr := f.Close() + if closeErr != nil { + glog.Errorf("Failed to close file: %v", closeErr) + } + } + }() + + log := util.GetLoggerFrom(ctx) + + log.Infof("driver plugin arguments: %v", args) + // Support reading component spec from a file if value starts with @ + // This bypasses exec() argument size limits for large workflows + if strings.HasPrefix(args.Component, "@") { + filePath := (args.Component)[1:] // Remove the "@" prefix + data, err := os.ReadFile(filePath) + if err != nil { + return nil, fmt.Errorf("failed to read component spec from file %s: %w", filePath, err) + } + args.Component = string(data) + log.Infof("Read component spec from file: %s (%d bytes)", filePath, len(data)) + } + + proxy.InitializeConfig(args.HTTPProxy, args.HTTPSProxy, args.NoProxy) + + log.Infof("input ComponentSpec:%s\n", prettyPrint(args.Component)) + componentSpec := &pipelinespec.ComponentSpec{} + if err := util.UnmarshalString(args.Component, componentSpec); err != nil { + return nil, fmt.Errorf("failed to unmarshal component spec, error: %w\ncomponentSpec: %v", err, prettyPrint(args.Component)) + } + var taskSpec *pipelinespec.PipelineTaskSpec + if args.Task != "" { + log.Infof("input TaskSpec:%s\n", prettyPrint(args.Task)) + taskSpec = &pipelinespec.PipelineTaskSpec{} + if err := util.UnmarshalString(args.Task, taskSpec); err != nil { + return nil, fmt.Errorf("failed to unmarshal task spec, error: %w\ntask: %v", err, args.Task) + } + } + + containerSpec := &pipelinespec.PipelineDeploymentConfig_PipelineContainerSpec{} + if args.Container != "" { + log.Infof("input ContainerSpec:%s\n", prettyPrint(args.Container)) + if err := util.UnmarshalString(args.Container, containerSpec); err != nil { + return nil, fmt.Errorf("failed to unmarshal container spec, error: %w\ncontainerSpec: %v", err, args.Container) + } + } + var runtimeConfig *pipelinespec.PipelineJob_RuntimeConfig + if args.RuntimeConfig != "" { + log.Infof("input RuntimeConfig:%s\n", prettyPrint(args.RuntimeConfig)) + runtimeConfig = &pipelinespec.PipelineJob_RuntimeConfig{} + if err := util.UnmarshalString(args.RuntimeConfig, runtimeConfig); err != nil { + return nil, fmt.Errorf("failed to unmarshal runtime config, error: %w\nruntimeConfig: %v", err, args.RuntimeConfig) + } + } + if args.KubernetesConfig != "" { + log.Infof("input kubernetesConfig:%s\n", prettyPrint(args.KubernetesConfig)) + } + k8sExecCfg, err := parseExecConfigJSON(&args.KubernetesConfig) + if err != nil { + return nil, err + } + namespace, err = config.InPodNamespace() + if err != nil { + return nil, err + } + var tlsCfg *tls.Config + if args.MetadataTLSEnabled { + tlsCfg, err = util.GetTLSConfig(args.CACertPath) + if err != nil { + return nil, fmt.Errorf("unable to drive driver: failed to load TLS configuration: %v", err) + } + } + client, err := newMlmdClient(args.MLMDServerAddress, args.MLMDServerPort, tlsCfg) + if err != nil { + return nil, err + } + cacheClient, err := cacheutils.NewClient(args.MlPipelineServerAddress, args.MlPipelineServerPort, args.CacheDisabledFlag, tlsCfg) + if err != nil { + return nil, err + } + + dagExecutionID, err := strconv.ParseInt(args.DagExecutionID, 10, 64) + if err != nil { + return nil, fmt.Errorf("failed to parse dag execution id, error: %w", err) + } + iterationIndex, err := strconv.Atoi(args.IterationIndex) + if err != nil { + return nil, fmt.Errorf("failed to parse iteration index, error: %w", err) + } + options := driver.Options{ + PipelineName: args.PipelineName, + RunID: args.RunID, + RunName: args.RunName, + RunDisplayName: args.RunDisplayName, + Namespace: namespace, + Component: componentSpec, + Task: taskSpec, + DAGExecutionID: dagExecutionID, + IterationIndex: iterationIndex, + PipelineLogLevel: args.LogLevel, + PublishLogs: args.PublishLogs, + CacheDisabled: args.CacheDisabledFlag, + DriverType: args.Type, + TaskName: args.TaskName, + MLPipelineServerAddress: args.MlPipelineServerAddress, + MLPipelineServerPort: args.MlPipelineServerPort, + MLPipelineTLSEnabled: args.MlPipelineTLSEnabled, + MLMDServerAddress: args.MLMDServerAddress, + MLMDServerPort: args.MLMDServerPort, + MLMDTLSEnabled: args.MetadataTLSEnabled, + CaCertPath: args.CACertPath, + } + + var driverErr error + switch args.Type { + case RootDag: + options.RuntimeConfig = runtimeConfig + execution, pipeline, driverErr = driver.RootDAG(ctx, options, client) + if driverErr != nil { + return nil, err + } + pipelineRoot = pipeline.GetPipelineRoot() + storeSessionInfo = pipeline.GetStoreSessionInfo() + case DAG: + pipeline, driverErr = client.GetPipeline(ctx, options.PipelineName, options.RunID, "", "", "", "") + if driverErr != nil { + return nil, driverErr + } + pipelineRoot = pipeline.GetPipelineRoot() + storeSessionInfo = pipeline.GetStoreSessionInfo() + execution, driverErr = driver.DAG(ctx, pipeline, options, client) + case CONTAINER: + options.Container = containerSpec + options.KubernetesExecutorConfig = k8sExecCfg + if args.DefaultRunAsUser != nil && *args.DefaultRunAsUser >= 0 { + options.DefaultRunAsUser = args.DefaultRunAsUser + } + if args.DefaultRunAsGroup != nil && *args.DefaultRunAsGroup >= 0 { + options.DefaultRunAsGroup = args.DefaultRunAsGroup + } + if args.DefaultRunAsNonRoot != "" { + v, err := strconv.ParseBool(args.DefaultRunAsNonRoot) + if err == nil { + options.DefaultRunAsNonRoot = &v + } + } + pipeline, driverErr = client.GetPipeline(ctx, options.PipelineName, options.RunID, "", "", "", "") + if driverErr != nil { + return nil, driverErr + } + pipelineRoot = pipeline.GetPipelineRoot() + storeSessionInfo = pipeline.GetStoreSessionInfo() + outputPathPrefix = uuid.NewString() + execution, driverErr = driver.Container(ctx, pipeline, options, client, cacheClient, outputPathPrefix) + default: + err = fmt.Errorf("unknown driverType %s", args.Type) + } + if driverErr != nil { + log.Errorf("driver execution failed with error: %v", driverErr) + if execution == nil { + return nil, driverErr + } + defer func() { + // Override error with driver error, because driver error is more important. + // However, we continue running, because the following code prints debug info that + // may be helpful for figuring out why this failed. + err = driverErr + }() + } + + return execution, nil +} + +func uploadDriverLogArtifact(ctx context.Context, logContext *driverLogArtifactContext) error { + if logContext == nil { + return fmt.Errorf("logContext is nil") + } + if logContext.PipelineRoot != "" { + restConfig, err := util.GetKubernetesConfig() + if err != nil { + return fmt.Errorf("failed to get kubernetes config: %v", err) + } + k8sClient, err := kubernetes.NewForConfig(restConfig) + if err != nil { + return fmt.Errorf("failed to initialize kubernetes client set: %w", err) + } + session, err := objectstore.GetSessionInfoFromString(logContext.StoreSessionInfo) + if err != nil { + return fmt.Errorf("failed to get session info from store: %v", err) + } + bucketConfig, err := objectstore.ParseBucketConfig(logContext.PipelineRoot, session) + if err != nil { + return fmt.Errorf("failed to parse bucket config: %v", err) + } + bucket, err := objectstore.OpenBucket(ctx, k8sClient, logContext.Namespace, bucketConfig) + if err != nil { + return fmt.Errorf("failed to open bucket: %v", err) + } + key := fmt.Sprintf("driver/%s-logs", logContext.LogID) + if logContext.Execution != nil && logContext.OutputPathPrefix != "" { + key = fmt.Sprintf("%s/%s/driver-logs", logContext.Task, logContext.OutputPathPrefix) + } + glog.Infof("Uploading log key: %s ...", key) + err = objectstore.UploadBlob(ctx, bucket, logContext.LocalPath, key) + if err != nil { + return fmt.Errorf("failed to upload log: %v", err) + } + } + return nil +} + +func validate(args api.DriverPluginArgs) error { + switch { + case args.Type == "": + return fmt.Errorf("argument type must be specified") + case args.HTTPProxy == unsetProxyArgValue: + return fmt.Errorf("argument http_proxy is required but can be an empty value") + case args.HTTPSProxy == unsetProxyArgValue: + return fmt.Errorf("argument https_proxy is required but can be an empty value") + case args.NoProxy == unsetProxyArgValue: + return fmt.Errorf("argument no_proxy is required but can be an empty value") + } + return nil +} + +func extractOutputParameters(execution *driver.Execution, driverType string) []api.Parameter { + if execution == nil { + return []api.Parameter{} + } + var outputs []api.Parameter + if execution.ID != 0 { + outputs = append(outputs, api.Parameter{ + Name: "execution-id", + Value: fmt.Sprint(execution.ID), + }) + } + switch { + case execution.IterationCount != nil: + outputs = append(outputs, api.Parameter{ + Name: "iteration-count", + Value: fmt.Sprint(*execution.IterationCount), + }) + case driverType == RootDag: + outputs = append(outputs, api.Parameter{ + Name: "iteration-count", + Value: "0", + }) + } + if execution.Cached != nil { + outputs = append(outputs, api.Parameter{ + Name: "cached-decision", + Value: strconv.FormatBool(*execution.Cached), + }) + } + if execution.Condition != nil { + outputs = append(outputs, api.Parameter{ + Name: "condition", + Value: strconv.FormatBool(*execution.Condition), + }) + } + outputs = append(outputs, api.Parameter{ + Name: "pod-spec-patch", + Value: execution.PodSpecPatch, + }) + return outputs +} + +func WriteJSONResponse(w http.ResponseWriter, payload api.DriverResponse) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(200) + if err := json.NewEncoder(w).Encode(payload); err != nil { + http.Error(w, "failed to encode response", http.StatusInternalServerError) + } +} diff --git a/backend/src/v2/cmd/driver/execution_paths.go b/backend/src/v2/cmd/driver/execution_paths.go deleted file mode 100644 index 584d29065d5..00000000000 --- a/backend/src/v2/cmd/driver/execution_paths.go +++ /dev/null @@ -1,9 +0,0 @@ -package main - -type ExecutionPaths struct { - ExecutionID string - IterationCount string - CachedDecision string - Condition string - PodSpecPatch string -} diff --git a/backend/src/v2/cmd/driver/main.go b/backend/src/v2/cmd/driver/main.go deleted file mode 100644 index 371af7c6b3a..00000000000 --- a/backend/src/v2/cmd/driver/main.go +++ /dev/null @@ -1,384 +0,0 @@ -// Copyright 2021-2023 The Kubeflow Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -package main - -import ( - "bytes" - "context" - "crypto/tls" - "encoding/json" - "flag" - "fmt" - - "google.golang.org/protobuf/encoding/protojson" - - "github.com/kubeflow/pipelines/backend/src/apiserver/config/proxy" - "github.com/kubeflow/pipelines/backend/src/common/util" - - "os" - "path/filepath" - "strconv" - "strings" - - "github.com/golang/glog" - "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" - "github.com/kubeflow/pipelines/backend/src/v2/cacheutils" - "github.com/kubeflow/pipelines/backend/src/v2/config" - "github.com/kubeflow/pipelines/backend/src/v2/driver" - "github.com/kubeflow/pipelines/backend/src/v2/metadata" - "github.com/kubeflow/pipelines/kubernetes_platform/go/kubernetesplatform" -) - -const ( - driverTypeArg = "type" - httpProxyArg = "http_proxy" - httpsProxyArg = "https_proxy" - noProxyArg = "no_proxy" - unsetProxyArgValue = "unset" - ROOT_DAG = "ROOT_DAG" - DAG = "DAG" - CONTAINER = "CONTAINER" -) - -var ( - // inputs - driverType = flag.String(driverTypeArg, "", "task driver type, one of ROOT_DAG, DAG, CONTAINER") - pipelineName = flag.String("pipeline_name", "", "pipeline context name") - runID = flag.String("run_id", "", "pipeline run uid") - runName = flag.String("run_name", "", "pipeline run name (Kubernetes object name)") - runDisplayName = flag.String("run_display_name", "", "pipeline run display name") - componentSpecJson = flag.String("component", "{}", "component spec") - taskSpecJson = flag.String("task", "", "task spec") - runtimeConfigJson = flag.String("runtime_config", "", "jobruntime config") - iterationIndex = flag.Int("iteration_index", -1, "iteration index, -1 means not an interation") - taskName = flag.String("task_name", "", "original task name, used for proper input resolution in the container/dag driver") - - // container inputs - dagExecutionID = flag.Int64("dag_execution_id", 0, "DAG execution ID") - containerSpecJson = flag.String("container", "{}", "container spec") - k8sExecConfigJson = flag.String("kubernetes_config", "{}", "kubernetes executor config") - - // config - mlPipelineServerAddress = flag.String("ml_pipeline_server_address", "ml-pipeline", "The name of the ML pipeline API server address.") - mlPipelineServerPort = flag.String("ml_pipeline_server_port", "8887", "The port of the ML pipeline API server.") - mlmdServerAddress = flag.String("mlmd_server_address", "", "MLMD server address") - mlmdServerPort = flag.String("mlmd_server_port", "", "MLMD server port") - - // output paths - executionIDPath = flag.String("execution_id_path", "", "Exeucution ID output path") - iterationCountPath = flag.String("iteration_count_path", "", "Iteration Count output path") - podSpecPatchPath = flag.String("pod_spec_patch_path", "", "Pod Spec Patch output path") - // the value stored in the paths will be either 'true' or 'false' - cachedDecisionPath = flag.String("cached_decision_path", "", "Cached Decision output path") - conditionPath = flag.String("condition_path", "", "Condition output path") - logLevel = flag.String("log_level", "1", "The verbosity level to log.") - - // proxy - httpProxy = flag.String(httpProxyArg, unsetProxyArgValue, "The proxy for HTTP connections.") - httpsProxy = flag.String(httpsProxyArg, unsetProxyArgValue, "The proxy for HTTPS connections.") - noProxy = flag.String(noProxyArg, unsetProxyArgValue, "Addresses that should ignore the proxy.") - publishLogs = flag.String("publish_logs", "true", "Whether to publish component logs to the object store") - cacheDisabledFlag = flag.Bool("cache_disabled", false, "Disable cache globally.") - mlPipelineTLSEnabled = flag.Bool("ml_pipeline_tls_enabled", false, "Set to true if mlpipeline API server serves over TLS.") - metadataTLSEnabled = flag.Bool("metadata_tls_enabled", false, "Set to true if MLMD serves over TLS.") - caCertPath = flag.String("ca_cert_path", "", "The path to the CA certificate to trust on connections to the ML pipeline API server and metadata server.") - defaultRunAsUser = flag.Int64("default_run_as_user", -1, "Admin-configured default runAsUser for user containers. -1 means not set.") - defaultRunAsGroup = flag.Int64("default_run_as_group", -1, "Admin-configured default runAsGroup for user containers. -1 means not set.") - defaultRunAsNonRoot = flag.String("default_run_as_non_root", "", "Admin-configured default runAsNonRoot for user containers. Empty means not set.") -) - -// func RootDAG(pipelineName string, runID string, component *pipelinespec.ComponentSpec, task *pipelinespec.PipelineTaskSpec, mlmd *metadata.Client) (*Execution, error) { - -func main() { - flag.Parse() - - glog.Infof("Setting log level to: '%s'", *logLevel) - err := flag.Set("v", *logLevel) - if err != nil { - glog.Warningf("Failed to set log level: %s", err.Error()) - } - - err = drive() - if err != nil { - glog.Exitf("%v", err) - } -} - -// Use WARNING default logging level to facilitate troubleshooting. -func init() { - flag.Set("logtostderr", "true") - // Change the WARNING to INFO level for debugging. - flag.Set("stderrthreshold", "WARNING") -} - -func validate() error { - if *driverType == "" { - return fmt.Errorf("argument --%s must be specified", driverTypeArg) - } - if *httpProxy == unsetProxyArgValue { - return fmt.Errorf("argument --%s is required but can be an empty value", httpProxyArg) - } - if *httpsProxy == unsetProxyArgValue { - return fmt.Errorf("argument --%s is required but can be an empty value", httpsProxyArg) - } - if *noProxy == unsetProxyArgValue { - return fmt.Errorf("argument --%s is required but can be an empty value", noProxyArg) - } - // validation responsibility lives in driver itself, so we do not validate all other args - return nil -} - -func drive() (err error) { - defer func() { - if err != nil { - err = fmt.Errorf("KFP driver: %w", err) - } - }() - ctx := context.Background() - if err = validate(); err != nil { - return err - } - - // Support reading component spec from a file if value starts with @ - // This bypasses exec() argument size limits for large workflows - if strings.HasPrefix(*componentSpecJson, "@") { - filePath := (*componentSpecJson)[1:] // Remove the "@" prefix - data, err := os.ReadFile(filePath) - if err != nil { - return fmt.Errorf("failed to read component spec from file %s: %w", filePath, err) - } - *componentSpecJson = string(data) - glog.Infof("Read component spec from file: %s (%d bytes)", filePath, len(data)) - } - - proxy.InitializeConfig(*httpProxy, *httpsProxy, *noProxy) - glog.Infof("input ComponentSpec:%s\n", prettyPrint(*componentSpecJson)) - componentSpec := &pipelinespec.ComponentSpec{} - if err := util.UnmarshalString(*componentSpecJson, componentSpec); err != nil { - return fmt.Errorf("failed to unmarshal component spec, error: %w\ncomponentSpec: %v", err, prettyPrint(*componentSpecJson)) - } - var taskSpec *pipelinespec.PipelineTaskSpec - if *taskSpecJson != "" { - glog.Infof("input TaskSpec:%s\n", prettyPrint(*taskSpecJson)) - taskSpec = &pipelinespec.PipelineTaskSpec{} - if err := util.UnmarshalString(*taskSpecJson, taskSpec); err != nil { - return fmt.Errorf("failed to unmarshal task spec, error: %w\ntask: %v", err, taskSpecJson) - } - } - glog.Infof("input ContainerSpec:%s\n", prettyPrint(*containerSpecJson)) - containerSpec := &pipelinespec.PipelineDeploymentConfig_PipelineContainerSpec{} - if err := util.UnmarshalString(*containerSpecJson, containerSpec); err != nil { - return fmt.Errorf("failed to unmarshal container spec, error: %w\ncontainerSpec: %v", err, containerSpecJson) - } - var runtimeConfig *pipelinespec.PipelineJob_RuntimeConfig - if *runtimeConfigJson != "" { - glog.Infof("input RuntimeConfig:%s\n", prettyPrint(*runtimeConfigJson)) - runtimeConfig = &pipelinespec.PipelineJob_RuntimeConfig{} - if err := util.UnmarshalString(*runtimeConfigJson, runtimeConfig); err != nil { - return fmt.Errorf("failed to unmarshal runtime config, error: %w\nruntimeConfig: %v", err, runtimeConfigJson) - } - } - k8sExecCfg, err := parseExecConfigJson(k8sExecConfigJson) - if err != nil { - return err - } - namespace, err := config.InPodNamespace() - if err != nil { - return err - } - var tlsCfg *tls.Config - if *metadataTLSEnabled { - tlsCfg, err = util.GetTLSConfig(*caCertPath) - if err != nil { - return err - } - } - client, err := newMlmdClient(*mlmdServerAddress, *mlmdServerPort, tlsCfg) - if err != nil { - return err - } - cacheClient, err := cacheutils.NewClient(*mlPipelineServerAddress, *mlPipelineServerPort, *cacheDisabledFlag, tlsCfg) - if err != nil { - return err - } - options := driver.Options{ - PipelineName: *pipelineName, - RunID: *runID, - RunName: *runName, - RunDisplayName: *runDisplayName, - Namespace: namespace, - Component: componentSpec, - Task: taskSpec, - DAGExecutionID: *dagExecutionID, - IterationIndex: *iterationIndex, - PipelineLogLevel: *logLevel, - PublishLogs: *publishLogs, - CacheDisabled: *cacheDisabledFlag, - DriverType: *driverType, - TaskName: *taskName, - MLPipelineServerAddress: *mlPipelineServerAddress, - MLPipelineServerPort: *mlPipelineServerPort, - MLMDServerAddress: *mlmdServerAddress, - MLMDServerPort: *mlmdServerPort, - MLPipelineTLSEnabled: *mlPipelineTLSEnabled, - MLMDTLSEnabled: *metadataTLSEnabled, - CaCertPath: *caCertPath, - } - var execution *driver.Execution - var driverErr error - switch *driverType { - case ROOT_DAG: - options.RuntimeConfig = runtimeConfig - execution, driverErr = driver.RootDAG(ctx, options, client) - case DAG: - execution, driverErr = driver.DAG(ctx, options, client) - case CONTAINER: - options.Container = containerSpec - options.KubernetesExecutorConfig = k8sExecCfg - // Set admin defaults only when explicitly configured (non-negative). - if *defaultRunAsUser >= 0 { - options.DefaultRunAsUser = defaultRunAsUser - } - if *defaultRunAsGroup >= 0 { - options.DefaultRunAsGroup = defaultRunAsGroup - } - if *defaultRunAsNonRoot != "" { - v, err := strconv.ParseBool(*defaultRunAsNonRoot) - if err == nil { - options.DefaultRunAsNonRoot = &v - } - } - execution, driverErr = driver.Container(ctx, options, client, cacheClient) - default: - err = fmt.Errorf("unknown driverType %s", *driverType) - } - if driverErr != nil { - if execution == nil { - return driverErr - } - defer func() { - // Override error with driver error, because driver error is more important. - // However, we continue running, because the following code prints debug info that - // may be helpful for figuring out why this failed. - err = driverErr - }() - } - - executionPaths := &ExecutionPaths{ - ExecutionID: *executionIDPath, - IterationCount: *iterationCountPath, - CachedDecision: *cachedDecisionPath, - Condition: *conditionPath, - PodSpecPatch: *podSpecPatchPath, - } - - return handleExecution(execution, *driverType, executionPaths) -} - -func parseExecConfigJson(k8sExecConfigJson *string) (*kubernetesplatform.KubernetesExecutorConfig, error) { - var k8sExecCfg *kubernetesplatform.KubernetesExecutorConfig - if *k8sExecConfigJson != "" { - glog.Infof("input kubernetesConfig:%s\n", prettyPrint(*k8sExecConfigJson)) - k8sExecCfg = &kubernetesplatform.KubernetesExecutorConfig{} - if err := util.UnmarshalString(*k8sExecConfigJson, k8sExecCfg); err != nil { - return nil, fmt.Errorf("failed to unmarshal Kubernetes config, error: %w\nKubernetesConfig: %v", err, k8sExecConfigJson) - } - } - return k8sExecCfg, nil -} - -func handleExecution(execution *driver.Execution, driverType string, executionPaths *ExecutionPaths) error { - if execution.ID != 0 { - glog.Infof("output execution.ID=%v", execution.ID) - if executionPaths.ExecutionID != "" { - if err := writeFile(executionPaths.ExecutionID, []byte(fmt.Sprint(execution.ID))); err != nil { - return fmt.Errorf("failed to write execution ID to file: %w", err) - } - } - } - if execution.IterationCount != nil { - if err := writeFile(executionPaths.IterationCount, []byte(fmt.Sprintf("%v", *execution.IterationCount))); err != nil { - return fmt.Errorf("failed to write iteration count to file: %w", err) - } - } else { - if driverType == ROOT_DAG { - if err := writeFile(executionPaths.IterationCount, []byte("0")); err != nil { - return fmt.Errorf("failed to write iteration count to file: %w", err) - } - } - } - if execution.Cached != nil { - if err := writeFile(executionPaths.CachedDecision, []byte(strconv.FormatBool(*execution.Cached))); err != nil { - return fmt.Errorf("failed to write cached decision to file: %w", err) - } - } - if execution.Condition != nil { - if err := writeFile(executionPaths.Condition, []byte(strconv.FormatBool(*execution.Condition))); err != nil { - return fmt.Errorf("failed to write condition to file: %w", err) - } - } else { - // nil is a valid value for Condition - if driverType == ROOT_DAG || driverType == CONTAINER { - if err := writeFile(executionPaths.Condition, []byte("nil")); err != nil { - return fmt.Errorf("failed to write condition to file: %w", err) - } - } - } - if execution.PodSpecPatch != "" { - glog.Infof("output podSpecPatch=\n%s\n", execution.PodSpecPatch) - if executionPaths.PodSpecPatch == "" { - return fmt.Errorf("--pod_spec_patch_path is required for container executor drivers") - } - if err := writeFile(executionPaths.PodSpecPatch, []byte(execution.PodSpecPatch)); err != nil { - return fmt.Errorf("failed to write pod spec patch to file: %w", err) - } - } - if execution.ExecutorInput != nil { - executorInputBytes, err := protojson.Marshal(execution.ExecutorInput) - if err != nil { - return fmt.Errorf("failed to marshal ExecutorInput to JSON: %w", err) - } - executorInputJSON := string(executorInputBytes) - glog.Infof("output ExecutorInput:%s\n", prettyPrint(executorInputJSON)) - } - return nil -} - -func prettyPrint(jsonStr string) string { - var prettyJSON bytes.Buffer - err := json.Indent(&prettyJSON, []byte(jsonStr), "", " ") - if err != nil { - return jsonStr - } - return prettyJSON.String() -} - -func writeFile(path string, data []byte) (err error) { - if path == "" { - return fmt.Errorf("path is not specified") - } - defer func() { - if err != nil { - err = fmt.Errorf("failed to write to %s: %w", path, err) - } - }() - if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { - return err - } - return os.WriteFile(path, data, 0o644) -} - -func newMlmdClient(mlmdServerAddress string, mlmdServerPort string, tlsCfg *tls.Config) (*metadata.Client, error) { - return metadata.NewClient(mlmdServerAddress, mlmdServerPort, tlsCfg) -} diff --git a/backend/src/v2/compiler/argocompiler/argo.go b/backend/src/v2/compiler/argocompiler/argo.go index 267639895ad..100201248f9 100644 --- a/backend/src/v2/compiler/argocompiler/argo.go +++ b/backend/src/v2/compiler/argocompiler/argo.go @@ -145,6 +145,7 @@ func Compile(jobArg *pipelinespec.PipelineJob, kubernetesSpecArg *pipelinespec.S PodMetadata: &wfapi.Metadata{ Annotations: map[string]string{ "pipelines.kubeflow.org/v2_component": "true", + util.AnnotationKeyIstioSidecarInject: util.AnnotationValueIstioSidecarInjectDisabled, }, Labels: map[string]string{ "pipelines.kubeflow.org/v2_component": "true", @@ -181,8 +182,6 @@ func Compile(jobArg *pipelinespec.PipelineJob, kubernetesSpecArg *pipelinespec.S // TODO(chensun): release process and update the images. launcherImage: GetLauncherImage(), launcherCommand: GetLauncherCommand(), - driverImage: GetDriverImage(), - driverCommand: GetDriverCommand(), job: job, spec: spec, executors: deploy.GetExecutors(), diff --git a/backend/src/v2/compiler/argocompiler/container.go b/backend/src/v2/compiler/argocompiler/container.go index db8e637d097..64ecfb9fa24 100644 --- a/backend/src/v2/compiler/argocompiler/container.go +++ b/backend/src/v2/compiler/argocompiler/container.go @@ -39,9 +39,7 @@ import ( const ( volumeNameKFPLauncher = "kfp-launcher" - volumeNameCABundle = "ca-bundle" LauncherImageEnvVar = "V2_LAUNCHER_IMAGE" - DriverImageEnvVar = "V2_DRIVER_IMAGE" // DefaultLauncherImage & DefaultDriverImage are set as latest here // but are overridden by environment variables set via k8s manifests. // For releases, the manifest will have the correct release version set. @@ -49,9 +47,6 @@ const ( DefaultLauncherImage = "ghcr.io/kubeflow/kfp-launcher:latest" LauncherCommandEnvVar = "V2_LAUNCHER_COMMAND" DefaultLauncherCommand = "launcher-v2" - DefaultDriverImage = "ghcr.io/kubeflow/kfp-driver:latest" - DefaultDriverCommand = "driver" - DriverCommandEnvVar = "V2_DRIVER_COMMAND" PipelineRunAsUserEnvVar = "PIPELINE_RUN_AS_USER" PipelineLogLevelEnvVar = "PIPELINE_LOG_LEVEL" PublishLogsEnvVar = "PUBLISH_LOGS" @@ -105,22 +100,6 @@ func GetLauncherImage() string { return launcherImage } -func GetDriverImage() string { - driverImage := os.Getenv(DriverImageEnvVar) - if driverImage == "" { - driverImage = DefaultDriverImage - } - return driverImage -} - -func GetDriverCommand() []string { - driverCommand := os.Getenv(DriverCommandEnvVar) - if driverCommand == "" { - driverCommand = DefaultDriverCommand - } - return strings.Split(driverCommand, " ") -} - func GetLauncherCommand() []string { launcherCommand := os.Getenv(LauncherCommandEnvVar) if launcherCommand == "" { @@ -148,10 +127,14 @@ func GetPipelineRunAsUser() *int64 { return &runAsUser } -func (c *workflowCompiler) containerDriverTask(name string, inputs containerDriverInputs) (*wfapi.DAGTask, *containerDriverOutputs) { +func (c *workflowCompiler) containerDriverTask(name string, inputs containerDriverInputs) (*wfapi.DAGTask, *containerDriverOutputs, error) { + template, err := c.addContainerDriverTemplate() + if err != nil { + return nil, nil, err + } dagTask := &wfapi.DAGTask{ Name: name, - Template: c.addContainerDriverTemplate(), + Template: template, Arguments: wfapi.Arguments{ Parameters: []wfapi.Parameter{ {Name: paramComponent, Value: wfapi.AnyStringPtr(inputs.component)}, @@ -179,71 +162,70 @@ func (c *workflowCompiler) containerDriverTask(name string, inputs containerDriv cached: taskOutputParameter(name, paramCachedDecision), condition: taskOutputParameter(name, paramCondition), } - return dagTask, outputs + return dagTask, outputs, nil } -func (c *workflowCompiler) addContainerDriverTemplate() string { +// Create the Argo Workflow executor plugin template for the container driver. +// See https://argo-workflows.readthedocs.io/en/latest/executor_plugins/ +func (c *workflowCompiler) addContainerDriverTemplate() (string, error) { name := "system-container-driver" _, ok := c.templates[name] if ok { - return name - } - - args := []string{ - "--type", "CONTAINER", - "--pipeline_name", c.spec.GetPipelineInfo().GetName(), - "--run_id", runID(), - "--run_name", runResourceName(), - "--run_display_name", c.job.DisplayName, - "--dag_execution_id", inputValue(paramParentDagID), - "--component", inputValue(paramComponent), - "--task", inputValue(paramTask), - "--task_name", inputValue(paramTaskName), - "--container", inputValue(paramContainer), - "--iteration_index", inputValue(paramIterationIndex), - "--cached_decision_path", outputPath(paramCachedDecision), - "--pod_spec_patch_path", outputPath(paramPodSpecPatch), - "--condition_path", outputPath(paramCondition), - "--kubernetes_config", inputValue(paramKubernetesConfig), - "--http_proxy", proxy.GetConfig().GetHttpProxy(), - "--https_proxy", proxy.GetConfig().GetHttpsProxy(), - "--no_proxy", proxy.GetConfig().GetNoProxy(), - "--ml_pipeline_server_address", config.GetMLPipelineServerConfig().Address, - "--ml_pipeline_server_port", config.GetMLPipelineServerConfig().Port, - "--mlmd_server_address", metadata.GetMetadataConfig().Address, - "--mlmd_server_port", metadata.GetMetadataConfig().Port, - } - if c.cacheDisabled { - args = append(args, "--cache_disabled") - } - if c.mlPipelineTLSEnabled { - args = append(args, "--ml_pipeline_tls_enabled") - } - if common.GetMetadataTLSEnabled() { - args = append(args, "--metadata_tls_enabled") + return name, nil + } + + args := map[string]interface{}{ + "type": "CONTAINER", + "pipeline_name": c.spec.GetPipelineInfo().GetName(), + "run_id": runID(), + "run_name": runResourceName(), + "run_display_name": c.job.DisplayName, + "dag_execution_id": inputValue(paramParentDagID), + "component": inputValue(paramComponent), + "task": inputValue(paramTask), + "task_name": inputValue(paramTaskName), + "container": inputValue(paramContainer), + "iteration_index": inputValue(paramIterationIndex), + "cached_decision_path": outputPath(paramCachedDecision), + "pod_spec_patch_path": outputPath(paramPodSpecPatch), + "condition_path": outputPath(paramCondition), + "kubernetes_config": inputValue(paramKubernetesConfig), + "http_proxy": proxy.GetConfig().GetHttpProxy(), + "https_proxy": proxy.GetConfig().GetHttpsProxy(), + "no_proxy": proxy.GetConfig().GetNoProxy(), + "ml_pipeline_server_address": config.GetMLPipelineServerConfig().Address, + "ml_pipeline_server_port": config.GetMLPipelineServerConfig().Port, + "mlmd_server_address": metadata.GetMetadataConfig().Address, + "mlmd_server_port": metadata.GetMetadataConfig().Port, + "cache_disabled": c.cacheDisabled, + "ml_pipeline_tls_enabled": c.mlPipelineTLSEnabled, + "metadata_tls_enabled": common.GetMetadataTLSEnabled(), } - setCABundle := false // If CABUNDLE_SECRET_NAME or CABUNDLE_CONFIGMAP_NAME is set, add ca_cert_path arg to container driver. if common.GetCaBundleSecretName() != "" || common.GetCaBundleConfigMapName() != "" { - args = append(args, "--ca_cert_path", common.CustomCaCertPath) - setCABundle = true + args["ca_cert_path"] = common.CustomCaCertPath } if value, ok := os.LookupEnv(PipelineLogLevelEnvVar); ok { - args = append(args, "--log_level", value) + args["log_level"] = value } if value, ok := os.LookupEnv(PublishLogsEnvVar); ok { - args = append(args, "--publish_logs", value) + args["publish_logs"] = value } if c.defaultRunAsUser != nil { - args = append(args, "--default_run_as_user", strconv.FormatInt(*c.defaultRunAsUser, 10)) + args["default_run_as_user"] = strconv.FormatInt(*c.defaultRunAsUser, 10) } if c.defaultRunAsGroup != nil { - args = append(args, "--default_run_as_group", strconv.FormatInt(*c.defaultRunAsGroup, 10)) + args["default_run_as_group"] = strconv.FormatInt(*c.defaultRunAsGroup, 10) } if c.defaultRunAsNonRoot != nil { - args = append(args, "--default_run_as_non_root", strconv.FormatBool(*c.defaultRunAsNonRoot)) + args["default_run_as_non_root"] = strconv.FormatBool(*c.defaultRunAsNonRoot) + } + + containerDriverPlugin, err := driverPlugin(args) + if err != nil { + return name, fmt.Errorf("failed to add container driver plugin: %v", err) } template := &wfapi.Template{ @@ -261,27 +243,17 @@ func (c *workflowCompiler) addContainerDriverTemplate() string { }, Outputs: wfapi.Outputs{ Parameters: []wfapi.Parameter{ - {Name: paramPodSpecPatch, ValueFrom: &wfapi.ValueFrom{Path: "/tmp/outputs/pod-spec-patch", Default: wfapi.AnyStringPtr("")}}, - {Name: paramCachedDecision, Default: wfapi.AnyStringPtr("false"), ValueFrom: &wfapi.ValueFrom{Path: "/tmp/outputs/cached-decision", Default: wfapi.AnyStringPtr("false")}}, - {Name: paramCondition, ValueFrom: &wfapi.ValueFrom{Path: "/tmp/outputs/condition", Default: wfapi.AnyStringPtr("true")}}, + {Name: paramPodSpecPatch, ValueFrom: &wfapi.ValueFrom{JSONPath: "$.pod-spec-patch", Default: wfapi.AnyStringPtr("")}}, + {Name: paramCachedDecision, Default: wfapi.AnyStringPtr("false"), ValueFrom: &wfapi.ValueFrom{JSONPath: "$.cached-decision", Default: wfapi.AnyStringPtr("false")}}, + {Name: paramCondition, ValueFrom: &wfapi.ValueFrom{JSONPath: "$.condition", Default: wfapi.AnyStringPtr("true")}}, }, }, - Container: &k8score.Container{ - Image: c.driverImage, - Command: c.driverCommand, - Args: args, - Resources: driverResources, - Env: append(proxy.GetConfig().GetEnvVars(), commonEnvs...), - }, + Plugin: containerDriverPlugin, } applySecurityContextToTemplate(template) - // If TLS is enabled (apiserver or metadata), add the custom CA bundle to the container driver template. - if setCABundle { - ConfigureCustomCABundle(template) - } c.templates[name] = template c.wf.Spec.Templates = append(c.wf.Spec.Templates, *template) - return name + return name, err } type containerExecutorInputs struct { diff --git a/backend/src/v2/compiler/argocompiler/container_test.go b/backend/src/v2/compiler/argocompiler/container_test.go index 1682874d790..0388015dff5 100644 --- a/backend/src/v2/compiler/argocompiler/container_test.go +++ b/backend/src/v2/compiler/argocompiler/container_test.go @@ -70,7 +70,12 @@ func TestAddContainerExecutorTemplate(t *testing.T) { } +// With the transition from Container to Plugin, environment variable configuration +// is now defined in manifests rather than in code, so we can no longer verify +// their behavior in a unit test. However, this is still fully tested within the +// workflow-compiler integration tests. func TestContainerDriverTemplate_IncludesKFPPodNameEnv(t *testing.T) { + t.Skip("Skipping test: env vars are now defined in manifests and cannot be verified in unit tests") proxy.InitializeConfigWithEmptyForTests() c := &workflowCompiler{ templates: make(map[string]*wfapi.Template), @@ -85,7 +90,8 @@ func TestContainerDriverTemplate_IncludesKFPPodNameEnv(t *testing.T) { job: &pipelinespec.PipelineJob{}, } - name := c.addContainerDriverTemplate() + name, err := c.addContainerDriverTemplate() + require.NoError(t, err) require.Equal(t, "system-container-driver", name) tmpl, exists := c.templates[name] diff --git a/backend/src/v2/compiler/argocompiler/dag.go b/backend/src/v2/compiler/argocompiler/dag.go index 658ea931fb2..9eca1e656c5 100644 --- a/backend/src/v2/compiler/argocompiler/dag.go +++ b/backend/src/v2/compiler/argocompiler/dag.go @@ -19,15 +19,13 @@ import ( "sort" "strings" - "github.com/kubeflow/pipelines/backend/src/apiserver/config/proxy" - "github.com/kubeflow/pipelines/backend/src/v2/config" - "github.com/kubeflow/pipelines/backend/src/v2/metadata" - wfapi "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow/v1alpha1" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" "github.com/kubeflow/pipelines/backend/src/apiserver/common" + "github.com/kubeflow/pipelines/backend/src/apiserver/config/proxy" "github.com/kubeflow/pipelines/backend/src/v2/compiler" - k8score "k8s.io/api/core/v1" + "github.com/kubeflow/pipelines/backend/src/v2/config" + "github.com/kubeflow/pipelines/backend/src/v2/metadata" "k8s.io/apimachinery/pkg/util/intstr" ) @@ -297,7 +295,7 @@ func (c *workflowCompiler) task(name string, task *pipelinespec.PipelineTaskSpec // The following call will return an empty string for tasks without kubernetes-specific annotation. kubernetesConfigPlaceholder, _ := c.useKubernetesImpl(componentName) - driver, driverOutputs := c.containerDriverTask(driverTaskName, containerDriverInputs{ + driver, driverOutputs, err := c.containerDriverTask(driverTaskName, containerDriverInputs{ component: componentSpecPlaceholder, task: taskSpecJson, container: containerPlaceholder, @@ -306,6 +304,9 @@ func (c *workflowCompiler) task(name string, task *pipelinespec.PipelineTaskSpec kubernetesConfig: kubernetesConfigPlaceholder, taskName: effectiveTaskName, }) + if err != nil { + return nil, err + } if task.GetTriggerPolicy().GetCondition() == "" { driverOutputs.condition = "" } @@ -547,9 +548,13 @@ func (c *workflowCompiler) dagDriverTask(name string, inputs dagDriverInputs) (* Value: wfapi.AnyStringPtr(inputs.taskName), }) } + dagTemplate, err := c.addDAGDriverTemplate() + if err != nil { + return nil, nil, err + } t := &wfapi.DAGTask{ Name: name, - Template: c.addDAGDriverTemplate(), + Template: dagTemplate, Arguments: wfapi.Arguments{ Parameters: params, }, @@ -561,58 +566,56 @@ func (c *workflowCompiler) dagDriverTask(name string, inputs dagDriverInputs) (* }, nil } -func (c *workflowCompiler) addDAGDriverTemplate() string { +// Create the Argo Workflow executor plugin template for the dag driver. +// See https://argo-workflows.readthedocs.io/en/latest/executor_plugins/ +func (c *workflowCompiler) addDAGDriverTemplate() (string, error) { name := "system-dag-driver" _, ok := c.templates[name] if ok { - return name - } - - args := []string{ - "--type", inputValue(paramDriverType), - "--pipeline_name", c.spec.GetPipelineInfo().GetName(), - "--run_id", runID(), - "--run_name", runResourceName(), - "--run_display_name", c.job.DisplayName, - "--dag_execution_id", inputValue(paramParentDagID), - "--component", inputValue(paramComponent), - "--task", inputValue(paramTask), - "--task_name", inputValue(paramTaskName), - "--runtime_config", inputValue(paramRuntimeConfig), - "--iteration_index", inputValue(paramIterationIndex), - "--execution_id_path", outputPath(paramExecutionID), - "--iteration_count_path", outputPath(paramIterationCount), - "--condition_path", outputPath(paramCondition), - "--http_proxy", proxy.GetConfig().GetHttpProxy(), - "--https_proxy", proxy.GetConfig().GetHttpsProxy(), - "--no_proxy", proxy.GetConfig().GetNoProxy(), - "--ml_pipeline_server_address", config.GetMLPipelineServerConfig().Address, - "--ml_pipeline_server_port", config.GetMLPipelineServerConfig().Port, - "--mlmd_server_address", metadata.GetMetadataConfig().Address, - "--mlmd_server_port", metadata.GetMetadataConfig().Port, - } - if c.cacheDisabled { - args = append(args, "--cache_disabled") - } - if c.mlPipelineTLSEnabled { - args = append(args, "--ml_pipeline_tls_enabled") - } - if common.GetMetadataTLSEnabled() { - args = append(args, "--metadata_tls_enabled") - } - - setCABundle := false - // If CABUNDLE_SECRET_NAME or CABUNDLE_CONFIGMAP_NAME is set, add ca_cert_path arg to DAG driver. + return name, nil + } + + args := map[string]interface{}{ + "type": inputValue(paramDriverType), + "pipeline_name": c.spec.GetPipelineInfo().GetName(), + "run_id": runID(), + "run_name": runResourceName(), + "run_display_name": c.job.DisplayName, + "dag_execution_id": inputValue(paramParentDagID), + "component": inputValue(paramComponent), + "task": inputValue(paramTask), + "task_name": inputValue(paramTaskName), + "runtime_config": inputValue(paramRuntimeConfig), + "iteration_index": inputValue(paramIterationIndex), + "execution_id_path": outputPath(paramExecutionID), + "iteration_count_path": outputPath(paramIterationCount), + "condition_path": outputPath(paramCondition), + "http_proxy": proxy.GetConfig().GetHttpProxy(), + "https_proxy": proxy.GetConfig().GetHttpsProxy(), + "no_proxy": proxy.GetConfig().GetNoProxy(), + "ml_pipeline_server_address": config.GetMLPipelineServerConfig().Address, + "ml_pipeline_server_port": config.GetMLPipelineServerConfig().Port, + "mlmd_server_address": metadata.GetMetadataConfig().Address, + "mlmd_server_port": metadata.GetMetadataConfig().Port, + "cache_disabled": c.cacheDisabled, + "ml_pipeline_tls_enabled": c.mlPipelineTLSEnabled, + "metadata_tls_enabled": common.GetMetadataTLSEnabled(), + } + // If CABUNDLE_SECRET_NAME add ca_cert_path arg to DAG driver. if common.GetCaBundleSecretName() != "" || common.GetCaBundleConfigMapName() != "" { - args = append(args, "--ca_cert_path", common.CustomCaCertPath) - setCABundle = true + args["ca_cert_path"] = common.CustomCaCertPath } if value, ok := os.LookupEnv(PipelineLogLevelEnvVar); ok { - args = append(args, "--log_level", value) + args["log_level"] = value } if value, ok := os.LookupEnv(PublishLogsEnvVar); ok { - args = append(args, "--publish_logs", value) + args["publish_logs"] = value + } + + dagPlugin, err := driverPlugin(args) + if err != nil { + return "", err } template := &wfapi.Template{ @@ -635,22 +638,12 @@ func (c *workflowCompiler) addDAGDriverTemplate() string { {Name: paramCondition, ValueFrom: &wfapi.ValueFrom{Path: "/tmp/outputs/condition", Default: wfapi.AnyStringPtr("true")}}, }, }, - Container: &k8score.Container{ - Image: c.driverImage, - Command: c.driverCommand, - Args: args, - Resources: driverResources, - Env: proxy.GetConfig().GetEnvVars(), - }, + Plugin: dagPlugin, } applySecurityContextToTemplate(template) - // If TLS is enabled (apiserver or metadata), add the custom CA bundle to the DAG driver template. - if setCABundle { - ConfigureCustomCABundle(template) - } c.templates[name] = template c.wf.Spec.Templates = append(c.wf.Spec.Templates, *template) - return name + return name, nil } func addImplicitDependencies(dagSpec *pipelinespec.DagSpec) error { diff --git a/backend/src/v2/compiler/argocompiler/plugin.go b/backend/src/v2/compiler/argocompiler/plugin.go new file mode 100644 index 00000000000..eb5f379a6dc --- /dev/null +++ b/backend/src/v2/compiler/argocompiler/plugin.go @@ -0,0 +1,39 @@ +// Copyright 2025 The Kubeflow Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package argocompiler + +import ( + "encoding/json" + "fmt" + + wfapi "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow/v1alpha1" +) + +// Create the Argo Workflow executor plugin template with parameters. +// // See https://argo-workflows.readthedocs.io/en/latest/executor_plugins/ +func driverPlugin(params map[string]interface{}) (*wfapi.Plugin, error) { + pluginConfig := map[string]interface{}{ + "driver-plugin": map[string]interface{}{ + "args": params, + }, + } + jsonConfig, err := json.Marshal(pluginConfig) + if err != nil { + return nil, fmt.Errorf("driver plugin creation error: marshaling plugin config to JSON failed: %w", err) + } + return &wfapi.Plugin{Object: wfapi.Object{ + Value: jsonConfig, + }}, nil +} diff --git a/backend/src/v2/driver/container.go b/backend/src/v2/driver/container.go index 7a39a38cef4..bef4fee3340 100644 --- a/backend/src/v2/driver/container.go +++ b/backend/src/v2/driver/container.go @@ -20,9 +20,8 @@ import ( "fmt" "strconv" - "github.com/golang/glog" - "github.com/google/uuid" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" + "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/kubeflow/pipelines/backend/src/v2/cacheutils" "github.com/kubeflow/pipelines/backend/src/v2/expression" "github.com/kubeflow/pipelines/backend/src/v2/metadata" @@ -43,14 +42,18 @@ func validateContainer(opts Options) (err error) { return validateNonRoot(opts) } -func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheClient cacheutils.Client) (execution *Execution, err error) { +func Container(ctx context.Context, pipeline *metadata.Pipeline, opts Options, mlmd *metadata.Client, cacheClient cacheutils.Client, outputPathPrefix string) (execution *Execution, err error) { defer func() { if err != nil { err = fmt.Errorf("driver.Container(%s) failed: %w", opts.info(), err) } }() b, _ := json.Marshal(opts) - glog.V(4).Info("Container opts: ", string(b)) + log := util.GetLoggerFrom(ctx) + if log == nil { + return nil, fmt.Errorf("failed to get logger for container: %s", string(b)) + } + log.Trace("Container opts: ", string(b)) err = validateContainer(opts) if err != nil { return nil, err @@ -62,15 +65,11 @@ func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheCl } // TODO(Bobgy): there's no need to pass any parameters, because pipeline // and pipeline run context have been created by root DAG driver. - pipeline, err := mlmd.GetPipeline(ctx, opts.PipelineName, opts.RunID, "", "", "", "") - if err != nil { - return nil, err - } dag, err := mlmd.GetDAG(ctx, opts.DAGExecutionID) if err != nil { return nil, err } - glog.Infof("parent DAG: %+v", dag.Execution) + log.Infof("parent DAG: %+v", dag.Execution) expr, err := expression.New() if err != nil { return nil, err @@ -116,7 +115,7 @@ func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheCl pipeline.GetPipelineRoot(), opts.TaskName, opts.Component.GetOutputDefinitions(), - uuid.NewString(), + outputPathPrefix, opts.PublishLogs, ) } @@ -126,11 +125,13 @@ func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheCl return execution, err } ecfg.TaskName = opts.TaskName + ecfg.Namespace = opts.Namespace ecfg.DisplayName = opts.Task.GetTaskInfo().GetName() ecfg.ExecutionType = metadata.ContainerExecutionTypeName ecfg.ParentDagID = dag.Execution.GetID() ecfg.IterationIndex = iterationIndex ecfg.NotTriggered = !execution.WillTrigger() + ecfg.DriverLogURI = metadata.GenerateOutputURI(pipeline.GetPipelineRoot(), []string{opts.TaskName, outputPathPrefix, "driver-logs"}, false) if isKubernetesPlatformOp { return execution, kubernetesPlatformOps(ctx, mlmd, cacheClient, execution, ecfg, &opts) @@ -182,7 +183,7 @@ func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheCl if err != nil { return execution, err } - glog.Infof("Created execution: %s", createdExecution) + log.Infof("Created execution: %s", createdExecution) execution.ID = createdExecution.GetID() if !execution.WillTrigger() { return execution, nil @@ -206,12 +207,12 @@ func Container(ctx context.Context, opts Options, mlmd *metadata.Client, cacheCl if err := mlmd.PublishExecution(ctx, createdExecution, executorOutput.GetParameterValues(), outputArtifacts, pb.Execution_CACHED); err != nil { return execution, fmt.Errorf("failed to publish cached execution: %w", err) } - glog.Infof("Use cache for task %s", opts.Task.GetTaskInfo().GetName()) + log.Infof("Use cache for task %s", opts.Task.GetTaskInfo().GetName()) *execution.Cached = true return execution, nil } } else { - glog.Info("Cache disabled globally at the server level.") + log.Info("Cache disabled globally at the server level.") } taskConfig := &TaskConfig{} diff --git a/backend/src/v2/driver/dag.go b/backend/src/v2/driver/dag.go index 362fac66f7f..39464abe2e5 100644 --- a/backend/src/v2/driver/dag.go +++ b/backend/src/v2/driver/dag.go @@ -19,8 +19,8 @@ import ( "encoding/json" "fmt" - "github.com/golang/glog" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" + "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/kubeflow/pipelines/backend/src/v2/expression" "github.com/kubeflow/pipelines/backend/src/v2/metadata" "google.golang.org/protobuf/types/known/structpb" @@ -38,14 +38,18 @@ func validateDAG(opts Options) (err error) { return validateNonRoot(opts) } -func DAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *Execution, err error) { +func DAG(ctx context.Context, pipeline *metadata.Pipeline, opts Options, mlmd *metadata.Client) (execution *Execution, err error) { defer func() { if err != nil { err = fmt.Errorf("driver.DAG(%s) failed: %w", opts.info(), err) } }() b, _ := json.Marshal(opts) - glog.V(4).Info("DAG opts: ", string(b)) + log := util.GetLoggerFrom(ctx) + if log == nil { + return nil, fmt.Errorf("failed to get logger for DAG driver options: %s", string(b)) + } + log.Trace("DAG opts: ", string(b)) err = validateDAG(opts) if err != nil { return nil, err @@ -55,17 +59,11 @@ func DAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *E index := opts.IterationIndex iterationIndex = &index } - // TODO(Bobgy): there's no need to pass any parameters, because pipeline - // and pipeline run context have been created by root DAG driver. - pipeline, err := mlmd.GetPipeline(ctx, opts.PipelineName, opts.RunID, "", "", "", "") - if err != nil { - return nil, err - } dag, err := mlmd.GetDAG(ctx, opts.DAGExecutionID) if err != nil { return nil, err } - glog.Infof("parent DAG: %+v", dag.Execution) + log.Infof("parent DAG: %+v", dag.Execution) expr, err := expression.New() if err != nil { return nil, err @@ -77,7 +75,7 @@ func DAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *E executorInput := &pipelinespec.ExecutorInput{ Inputs: inputs, } - glog.Infof("executorInput value: %+v", executorInput) + log.Infof("executorInput value: %+v", executorInput) execution = &Execution{ExecutorInput: executorInput} condition := opts.Task.GetTriggerPolicy().GetCondition() if condition != "" { @@ -109,15 +107,15 @@ func DAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *E // Handle writing output parameters to MLMD. ecfg.OutputParameters = opts.Component.GetDag().GetOutputs().GetParameters() - glog.V(4).Info("outputParameters: ", ecfg.OutputParameters) + log.Trace("outputParameters: ", ecfg.OutputParameters) // Handle writing output artifacts to MLMD. ecfg.OutputArtifacts = opts.Component.GetDag().GetOutputs().GetArtifacts() - glog.V(4).Info("outputArtifacts: ", ecfg.OutputArtifacts) + log.Trace("outputArtifacts: ", ecfg.OutputArtifacts) totalDagTasks := len(opts.Component.GetDag().GetTasks()) ecfg.TotalDagTasks = &totalDagTasks - glog.V(4).Info("totalDagTasks: ", *ecfg.TotalDagTasks) + log.Trace("totalDagTasks: ", *ecfg.TotalDagTasks) if opts.Task.GetArtifactIterator() != nil { return execution, fmt.Errorf("ArtifactIterator is not implemented") @@ -164,17 +162,17 @@ func DAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *E execution.IterationCount = &count } - glog.V(4).Info("pipeline: ", pipeline) + log.Trace("pipeline: ", pipeline) b, _ = json.Marshal(*ecfg) - glog.V(4).Info("ecfg: ", string(b)) - glog.V(4).Infof("dag: %v", dag) + log.Trace("ecfg: ", string(b)) + log.Tracef("dag: %v", dag) // TODO(Bobgy): change execution state to pending, because this is driver, execution hasn't started. createdExecution, err := mlmd.CreateExecution(ctx, pipeline, ecfg) if err != nil { return execution, err } - glog.Infof("Created execution: %s", createdExecution) + log.Infof("Created execution: %s", createdExecution) execution.ID = createdExecution.GetID() return execution, nil } diff --git a/backend/src/v2/driver/driver.go b/backend/src/v2/driver/driver.go index 6d6188c2e61..8dfc1caeb81 100644 --- a/backend/src/v2/driver/driver.go +++ b/backend/src/v2/driver/driver.go @@ -706,7 +706,7 @@ func provisionOutputs( pipelineRoot, taskName string, outputsSpec *pipelinespec.ComponentOutputsSpec, - outputURISalt string, + prefix string, publishOutput string, ) *pipelinespec.ExecutorInput_Outputs { outputs := &pipelinespec.ExecutorInput_Outputs{ @@ -736,7 +736,7 @@ func provisionOutputs( // artifacts (dsl.get_uri) by allowing the SDK to infer the task root from // the executor output file's directory (set below) and convert it back to // a remote URI at runtime. - taskRootRemote := metadata.GenerateOutputURI(pipelineRoot, []string{taskName, outputURISalt}, false) + taskRootRemote := metadata.GenerateOutputURI(pipelineRoot, []string{taskName, prefix}, false) // Set per-artifact output URIs under the task root. for name, artifact := range artifacts { @@ -769,7 +769,6 @@ func provisionOutputs( // Fallback to legacy path if the pipeline root scheme is not recognized. outputs.OutputFile = component.OutputMetadataFilepath } - return outputs } diff --git a/backend/src/v2/driver/driver_test.go b/backend/src/v2/driver/driver_test.go index e0a1f9d0858..a7b39fe529f 100644 --- a/backend/src/v2/driver/driver_test.go +++ b/backend/src/v2/driver/driver_test.go @@ -19,6 +19,8 @@ import ( "fmt" "testing" + "github.com/kubeflow/pipelines/backend/src/common/util" + "github.com/sirupsen/logrus" "github.com/stretchr/testify/require" "github.com/kubeflow/pipelines/backend/src/apiserver/config/proxy" @@ -1469,7 +1471,7 @@ func Test_initPodSpecPatch_TaskConfig_Affinity_NodeSelector_Tolerations_Passthro assert.Nil(t, err) err = extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), podSpec, opts, nil, @@ -1572,7 +1574,7 @@ func Test_initPodSpecPatch_TaskConfig_Affinity_NodeSelector_Tolerations_ApplyAnd assert.Nil(t, err) err = extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), podSpec, opts, nil, diff --git a/backend/src/v2/driver/k8s.go b/backend/src/v2/driver/k8s.go index 617e9163ceb..e7a241ced44 100644 --- a/backend/src/v2/driver/k8s.go +++ b/backend/src/v2/driver/k8s.go @@ -21,7 +21,6 @@ import ( "fmt" "time" - "github.com/golang/glog" "github.com/google/uuid" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" "github.com/kubeflow/pipelines/backend/src/common/util" @@ -127,6 +126,10 @@ func extendPodSpecPatch( kubernetesExecutorConfig := opts.KubernetesExecutorConfig setOnTaskConfig, setOnPod := getTaskConfigOptions(opts.Component) + log := util.GetLoggerFrom(ctx) + if log == nil { + return fmt.Errorf("cannot get log from context for extendPodSpecPatch") + } // Always set setOnTaskConfig to an empty map if taskConfig is nil to avoid nil pointer dereference. if taskConfig == nil { @@ -210,7 +213,7 @@ func extendPodSpecPatch( if tolerations := kubernetesExecutorConfig.GetTolerations(); tolerations != nil { var k8sTolerations []k8score.Toleration - glog.Infof("Tolerations passed: %+v", tolerations) + log.Infof("Tolerations passed: %+v", tolerations) for _, toleration := range tolerations { if toleration != nil { @@ -244,7 +247,7 @@ func extendPodSpecPatch( } k8sTolerations = append(k8sTolerations, singleToleration) } else { - glog.V(4).Info("encountered empty tolerations struct, ignoring.") + log.Trace("encountered empty tolerations struct, ignoring.") } } else if isListToleration { listVal := resolvedParam.GetListValue() @@ -259,7 +262,7 @@ func extendPodSpecPatch( } k8sTolerations = append(k8sTolerations, k8sTolerationsList...) } else { - glog.V(4).Info("encountered empty tolerations list, ignoring.") + log.Trace("encountered empty tolerations list, ignoring.") } } else { return fmt.Errorf("encountered unexpected toleration proto value, must be either struct or list type") @@ -608,7 +611,7 @@ func extendPodSpecPatch( if nodeAffinityTerm.GetNodeAffinityJson() == nil && len(nodeAffinityTerm.GetMatchExpressions()) == 0 && len(nodeAffinityTerm.GetMatchFields()) == 0 { - glog.Warningf("NodeAffinityTerm %d is empty, skipping", i) + log.Warningf("NodeAffinityTerm %d is empty, skipping", i) continue } if nodeAffinityTerm.GetNodeAffinityJson() != nil { @@ -657,10 +660,10 @@ func extendPodSpecPatch( Weight: *nodeAffinityTerm.Weight, Preference: nodeSelectorTerm, }) - glog.V(4).Infof("Added preferred node affinity: %+v", nodeSelectorTerm) + log.Tracef("Added preferred node affinity: %+v", nodeSelectorTerm) } else { requiredTerms = append(requiredTerms, nodeSelectorTerm) - glog.V(4).Infof("Added required node affinity: %+v", nodeSelectorTerm) + log.Tracef("Added required node affinity: %+v", nodeSelectorTerm) } } @@ -729,18 +732,18 @@ func extendPodSpecPatch( isCompilerHardened := existingSecurityContext.AllowPrivilegeEscalation != nil && !*existingSecurityContext.AllowPrivilegeEscalation if userSecurityContext.RunAsUser != nil { if existingSecurityContext.RunAsUser != nil { - glog.Warningf("Ignoring user-specified runAsUser (%d): security context already set by admin (runAsUser=%d)", + log.Warningf("Ignoring user-specified runAsUser (%d): security context already set by admin (runAsUser=%d)", *userSecurityContext.RunAsUser, *existingSecurityContext.RunAsUser) } else { if isCompilerHardened && *userSecurityContext.RunAsUser == 0 { - glog.Warningf("Setting runAsUser=0 (root) on a container with hardened security context; consider using a non-root UID") + log.Warningf("Setting runAsUser=0 (root) on a container with hardened security context; consider using a non-root UID") } podSpec.Containers[0].SecurityContext.RunAsUser = userSecurityContext.RunAsUser } } if userSecurityContext.RunAsGroup != nil { if existingSecurityContext.RunAsGroup != nil { - glog.Warningf("Ignoring user-specified runAsGroup (%d): security context already set by admin (runAsGroup=%d)", + log.Warningf("Ignoring user-specified runAsGroup (%d): security context already set by admin (runAsGroup=%d)", *userSecurityContext.RunAsGroup, *existingSecurityContext.RunAsGroup) } else { podSpec.Containers[0].SecurityContext.RunAsGroup = userSecurityContext.RunAsGroup @@ -748,7 +751,7 @@ func extendPodSpecPatch( } if userSecurityContext.RunAsNonRoot != nil { if existingSecurityContext.RunAsNonRoot != nil { - glog.Warningf("Ignoring user-specified runAsNonRoot (%v): security context already set by admin (runAsNonRoot=%v)", + log.Warningf("Ignoring user-specified runAsNonRoot (%v): security context already set by admin (runAsNonRoot=%v)", *userSecurityContext.RunAsNonRoot, *existingSecurityContext.RunAsNonRoot) } else { podSpec.Containers[0].SecurityContext.RunAsNonRoot = userSecurityContext.RunAsNonRoot @@ -786,8 +789,13 @@ func createPVC( taskStartedTime := time.Now().Unix() + log := util.GetLoggerFrom(ctx) + if log == nil { + return "", nil, 0, fmt.Errorf("failed to get log from context") + } + inputs := execution.ExecutorInput.Inputs - glog.Infof("Input parameter values: %+v", inputs.ParameterValues) + log.Infof("Input parameter values: %+v", inputs.ParameterValues) // Required input: access_modes accessModeInput, ok := inputs.ParameterValues["access_modes"] @@ -869,7 +877,7 @@ func createPVC( if err != nil { return "", createdExecution, pb.Execution_FAILED, fmt.Errorf("error creating MLMD execution for createpvc: %w", err) } - glog.Infof("Created execution: %s", createdExecution) + log.Infof("Created execution: %s", createdExecution) execution.ID = createdExecution.GetID() if !execution.WillTrigger() { return "", createdExecution, pb.Execution_COMPLETE, nil @@ -919,7 +927,7 @@ func createPVC( if err != nil { return "", createdExecution, pb.Execution_FAILED, fmt.Errorf("failed to create pvc: %w", err) } - glog.Infof("Created PVC %s\n", createdPVC.ObjectMeta.Name) + log.Infof("Created PVC %s\n", createdPVC.Name) // Create a cache entry if !opts.CacheDisabled && opts.Task.GetCachingOptions().GetEnableCache() { @@ -953,9 +961,13 @@ func deletePVC( }() taskStartedTime := time.Now().Unix() + log := util.GetLoggerFrom(ctx) + if log == nil { + return nil, pb.Execution_FAILED, fmt.Errorf("no logs available for execution") + } inputs := execution.ExecutorInput.Inputs - glog.Infof("Input parameter values: %+v", inputs.ParameterValues) + log.Infof("Input parameter values: %+v", inputs.ParameterValues) // Required input: pvc_name pvcNameInput, ok := inputs.ParameterValues["pvc_name"] @@ -985,7 +997,7 @@ func deletePVC( if err != nil { return createdExecution, pb.Execution_FAILED, fmt.Errorf("error creating MLMD execution for createpvc: %w", err) } - glog.Infof("Created execution: %s", createdExecution) + log.Infof("Created execution: %s", createdExecution) execution.ID = createdExecution.GetID() if !execution.WillTrigger() { return createdExecution, pb.Execution_COMPLETE, nil @@ -1024,7 +1036,7 @@ func deletePVC( return createdExecution, pb.Execution_FAILED, fmt.Errorf("failed to delete pvc %s: %v", pvcName, err) } - glog.Infof("Deleted PVC %s\n", pvcName) + log.Infof("Deleted PVC %s\n", pvcName) // Create a cache entry if !opts.CacheDisabled && opts.Task.GetCachingOptions().GetEnableCache() && ecfg.CachedMLMDExecutionID != "" { @@ -1140,7 +1152,11 @@ func publishDriverExecution( if err = mlmd.PublishExecution(ctx, execution, outputParameters, outputArtifacts, status); err != nil { return fmt.Errorf("failed to publish: %w", err) } - glog.Infof("Published execution of Kubernetes platform task %s.", execution.TaskName()) + log := util.GetLoggerFrom(ctx) + if log == nil { + return fmt.Errorf("can not get log from the context ") + } + log.Infof("Published execution of Kubernetes platform task %s.", execution.TaskName()) return nil } diff --git a/backend/src/v2/driver/k8s_test.go b/backend/src/v2/driver/k8s_test.go index 884f448a656..2225063600f 100644 --- a/backend/src/v2/driver/k8s_test.go +++ b/backend/src/v2/driver/k8s_test.go @@ -5,8 +5,10 @@ import ( "testing" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" + "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/kubeflow/pipelines/backend/src/v2/metadata" "github.com/kubeflow/pipelines/kubernetes_platform/go/kubernetesplatform" + "github.com/sirupsen/logrus" "github.com/spf13/viper" "github.com/stretchr/testify/assert" "google.golang.org/protobuf/types/known/structpb" @@ -102,7 +104,7 @@ func Test_makeVolumeMountPatch(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { volumeMounts, volumes, err := makeVolumeMountPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), Options{}, tt.args.pvcMount, tt.args.dag, @@ -238,7 +240,7 @@ func Test_makePodSpecPatch_nodeSelector(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -717,7 +719,7 @@ func Test_extendPodSpecPatch_Secret(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), tt.podSpec, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -1214,7 +1216,7 @@ func Test_extendPodSpecPatch_ConfigMap(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), tt.podSpec, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -1388,7 +1390,7 @@ func Test_extendPodSpecPatch_EmptyVolumeMount(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), tt.podSpec, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -1514,7 +1516,7 @@ func Test_extendPodSpecPatch_ImagePullSecrets(t *testing.T) { }, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -1953,7 +1955,7 @@ func Test_extendPodSpecPatch_Tolerations(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -2060,7 +2062,7 @@ func Test_extendPodSpecPatch_FieldPathAsEnv(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -2133,7 +2135,7 @@ func Test_extendPodSpecPatch_ActiveDeadlineSeconds(t *testing.T) { }, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -2246,7 +2248,7 @@ func Test_extendPodSpecPatch_SecurityContext(t *testing.T) { }, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -2274,7 +2276,7 @@ func Test_extendPodSpecPatch_SecurityContext_CombinedWithOtherFeatures(t *testin }, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: &kubernetesplatform.KubernetesExecutorConfig{ SecurityContext: &kubernetesplatform.SecurityContext{ @@ -2321,7 +2323,7 @@ func Test_extendPodSpecPatch_SecurityContext_AdminSetPreserved(t *testing.T) { {Name: "main"}, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{ DefaultRunAsUser: &adminUID, @@ -2355,7 +2357,7 @@ func Test_extendPodSpecPatch_SecurityContext_AdminDefaultsNoUserOverride(t *test {Name: "main"}, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{ DefaultRunAsUser: &adminUID, @@ -2383,7 +2385,7 @@ func Test_extendPodSpecPatch_SecurityContext_RootOnHardenedContainer(t *testing. }, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: &kubernetesplatform.KubernetesExecutorConfig{ SecurityContext: &kubernetesplatform.SecurityContext{ @@ -2424,7 +2426,7 @@ func Test_extendPodSpecPatch_SecurityContext_AdminRunAsNonRoot(t *testing.T) { {Name: "main"}, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{ DefaultRunAsNonRoot: &adminRunAsNonRoot, @@ -2453,7 +2455,7 @@ func Test_extendPodSpecPatch_SecurityContext_AdminRunAsNonRootNoUserOverride(t * {Name: "main"}, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{ DefaultRunAsNonRoot: &adminRunAsNonRoot, @@ -2475,7 +2477,7 @@ func Test_extendPodSpecPatch_SecurityContext_UserRunAsNonRootNoAdmin(t *testing. {Name: "main"}, }} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{ KubernetesExecutorConfig: &kubernetesplatform.KubernetesExecutorConfig{ @@ -2567,7 +2569,7 @@ func Test_extendPodSpecPatch_ImagePullPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), tt.podSpec, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -2765,7 +2767,7 @@ func Test_extendPodSpecPatch_GenericEphemeralVolume(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), tt.podSpec, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -3069,7 +3071,7 @@ func Test_extendPodSpecPatch_NodeAffinity(t *testing.T) { taskConfig := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), got, Options{KubernetesExecutorConfig: tt.k8sExecCfg}, nil, @@ -3154,7 +3156,7 @@ func Test_extendPodSpecPatch_TaskConfig_CapturesAndApplies(t *testing.T) { taskCfg := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), podSpec, Options{KubernetesExecutorConfig: cfg, Component: comp}, nil, @@ -3305,7 +3307,7 @@ func Test_extendPodSpecPatch_PvcMounts_Passthrough_NotAppliedToPod(t *testing.T) } taskCfg := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), podSpec, Options{KubernetesExecutorConfig: cfg, Component: comp}, nil, @@ -3339,7 +3341,7 @@ func Test_extendPodSpecPatch_PvcMounts_Passthrough_AppliedToPod(t *testing.T) { } taskCfg := &TaskConfig{} err := extendPodSpecPatch( - context.Background(), + util.WithExistingLogger(context.Background(), logrus.New()), podSpec, Options{KubernetesExecutorConfig: cfg, Component: comp}, nil, diff --git a/backend/src/v2/driver/root_dag.go b/backend/src/v2/driver/root_dag.go index c017fcd7bbf..2e02b922d40 100644 --- a/backend/src/v2/driver/root_dag.go +++ b/backend/src/v2/driver/root_dag.go @@ -19,7 +19,6 @@ import ( "encoding/json" "fmt" - "github.com/golang/glog" "github.com/kubeflow/pipelines/api/v2alpha1/go/pipelinespec" "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/kubeflow/pipelines/backend/src/v2/config" @@ -64,54 +63,58 @@ func validateRootDAG(opts Options) (err error) { return nil } -func RootDAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *Execution, err error) { +func RootDAG(ctx context.Context, opts Options, mlmd *metadata.Client) (execution *Execution, pipeline *metadata.Pipeline, err error) { defer func() { if err != nil { err = fmt.Errorf("driver.RootDAG(%s) failed: %w", opts.info(), err) } }() b, _ := json.Marshal(opts) - glog.V(4).Info("RootDAG opts: ", string(b)) + log := util.GetLoggerFrom(ctx) + if log == nil { + return nil, nil, fmt.Errorf("driver.RootDAG(%s) failed: invalid log configuration", opts.info()) + } + log.Trace("RootDAG opts: ", string(b)) err = validateRootDAG(opts) if err != nil { - return nil, err + return nil, nil, err } // TODO(v2): in pipeline spec, rename GCS output directory to pipeline root. pipelineRoot := opts.RuntimeConfig.GetGcsOutputDirectory() restConfig, err := util.GetKubernetesConfig() if err != nil { - return nil, fmt.Errorf("failed to initialize kubernetes client: %w", err) + return nil, nil, fmt.Errorf("failed to initialize kubernetes client: %w", err) } k8sClient, err := kubernetes.NewForConfig(restConfig) if err != nil { - return nil, fmt.Errorf("failed to initialize kubernetes client set: %w", err) + return nil, nil, fmt.Errorf("failed to initialize kubernetes client set: %w", err) } cfg, err := config.FromConfigMap(ctx, k8sClient, opts.Namespace) if err != nil { - return nil, err + return nil, nil, err } storeSessionInfo := objectstore.SessionInfo{} if pipelineRoot != "" { - glog.Infof("PipelineRoot=%q", pipelineRoot) + log.Infof("PipelineRoot=%q", pipelineRoot) } else { pipelineRoot = cfg.DefaultPipelineRoot() - glog.Infof("PipelineRoot=%q from default config", pipelineRoot) + log.Infof("PipelineRoot=%q from default config", pipelineRoot) } storeSessionInfo, err = cfg.GetStoreSessionInfo(pipelineRoot) if err != nil { - return nil, err + return nil, nil, err } storeSessionInfoJSON, err := json.Marshal(storeSessionInfo) if err != nil { - return nil, err + return nil, nil, err } storeSessionInfoStr := string(storeSessionInfoJSON) // TODO(Bobgy): fill in run resource. - pipeline, err := mlmd.GetPipeline(ctx, opts.PipelineName, opts.RunID, opts.Namespace, "run-resource", pipelineRoot, storeSessionInfoStr) + pipeline, err = mlmd.GetPipeline(ctx, opts.PipelineName, opts.RunID, opts.Namespace, "run-resource", pipelineRoot, storeSessionInfoStr) if err != nil { - return nil, err + return nil, nil, err } executorInput := &pipelinespec.ExecutorInput{ @@ -122,16 +125,16 @@ func RootDAG(ctx context.Context, opts Options, mlmd *metadata.Client) (executio // TODO(Bobgy): validate executorInput matches component spec types ecfg, err := metadata.GenerateExecutionConfig(executorInput) if err != nil { - return nil, err + return nil, pipeline, err } ecfg.ExecutionType = metadata.DagExecutionTypeName ecfg.Name = fmt.Sprintf("run/%s", opts.RunID) exec, err := mlmd.CreateExecution(ctx, pipeline, ecfg) if err != nil { - return nil, err + return nil, pipeline, err } - glog.Infof("Created execution: %s", exec) + log.Infof("Created execution: %s", exec) // No need to return ExecutorInput, because tasks in the DAG will resolve // needed info from MLMD. - return &Execution{ID: exec.GetID()}, nil + return &Execution{ID: exec.GetID()}, pipeline, nil } diff --git a/backend/src/v2/metadata/client.go b/backend/src/v2/metadata/client.go index 31a2fbf9dc5..0e8e2fc08ad 100644 --- a/backend/src/v2/metadata/client.go +++ b/backend/src/v2/metadata/client.go @@ -181,6 +181,7 @@ type ExecutionConfig struct { OutputArtifacts map[string]*pipelinespec.DagOutputsSpec_DagOutputArtifactSpec InputArtifactIDs map[string][]int64 IterationIndex *int // Index of the iteration. + DriverLogURI string // ContainerExecution custom properties Image, CachedMLMDExecutionID, FingerPrint string @@ -577,6 +578,7 @@ const ( keyOutputs = "outputs" keyParameterProducerTask = "parameter_producer_task" keyOutputArtifacts = "output_artifacts" + keyDriverLogURI = "driver_logs_uri" keyArtifactProducerTask = "artifact_producer_task" keyParentDagID = "parent_dag_id" // Parent DAG Execution ID. keyIterationIndex = "iteration_index" @@ -634,6 +636,10 @@ func (c *Client) CreateExecution(ctx context.Context, pipeline *Pipeline, config e.CustomProperties[keyCacheFingerPrint] = StringValue(config.FingerPrint) } } + if config.DriverLogURI != "" { + e.CustomProperties[keyDriverLogURI] = StringValue(config.DriverLogURI) + e.CustomProperties[keyStoreSessionInfo] = StringValue(pipeline.GetStoreSessionInfo()) + } if config.InputParameters != nil { e.CustomProperties[keyInputs] = &pb.Value{Value: &pb.Value_StructValue{ StructValue: &structpb.Struct{ diff --git a/backend/test/compiler/utils/workflow_utils.go b/backend/test/compiler/utils/workflow_utils.go index 1cb7a8ac5f6..ebae3d2c31a 100644 --- a/backend/test/compiler/utils/workflow_utils.go +++ b/backend/test/compiler/utils/workflow_utils.go @@ -36,6 +36,8 @@ import ( v1 "k8s.io/api/core/v1" ) +type driverPlugin map[string]map[string]map[string]interface{} + // LoadPipelineSpecsFromIR - Unmarshall Pipeline Spec IR into a tuple of (pipelinespec.PipelineJob, pipelinespec.SinglePlatformSpec) func LoadPipelineSpecsFromIR(pipelineIRFilePath string, cacheDisabled bool, defaultWorkspace *v1.PersistentVolumeClaimSpec) (*pipelinespec.PipelineJob, *pipelinespec.SinglePlatformSpec) { pipelineSpecsFromFile := testutil.ParseFileToSpecs(pipelineIRFilePath, cacheDisabled, defaultWorkspace) @@ -89,6 +91,32 @@ func CreateCompiledWorkflowFile(compiledWorflow *v1alpha1.Workflow, compiledWork return testutil.CreateFile(compiledWorkflowFilePath, [][]byte{fileContents}) } +// ConfigurePluginSettings - Add/Remove cache_disabled args in the driver-plugin +func ConfigurePluginSettings(workflow *v1alpha1.Workflow, remove bool) *v1alpha1.Workflow { + configuredWorkflow := workflow.DeepCopy() + for i, template := range configuredWorkflow.Spec.Templates { + if template.Plugin != nil { + var pluginMap driverPlugin + if err := json.Unmarshal(template.Plugin.Value, &pluginMap); err == nil { + if driverPlugin, ok := pluginMap["driver-plugin"]; ok { + if args, ok := driverPlugin["args"]; ok { + if remove { + args["cache_disabled"] = false + } else { + args["cache_disabled"] = true + } + } + } + jsonPlugin, err := json.Marshal(pluginMap) + gomega.Expect(err).NotTo(gomega.HaveOccurred(), "Failed to marshal plugin map") + configuredWorkflow.Spec.Templates[i].Plugin.Value = jsonPlugin + } + } + } + + return configuredWorkflow +} + // ConfigureCacheSettings - Add/Remove cache_disabled args in the workflow func ConfigureCacheSettings(workflow *v1alpha1.Workflow, remove bool) *v1alpha1.Workflow { cacheDisabledArg := "--cache_disabled" @@ -138,5 +166,5 @@ func ConfigureCacheSettings(workflow *v1alpha1.Workflow, remove bool) *v1alpha1. } } } - return configuredWorkflow + return ConfigurePluginSettings(configuredWorkflow, remove) } diff --git a/backend/test/end2end/e2e_suite_test.go b/backend/test/end2end/e2e_suite_test.go index 0480694ffbe..621fb6de0e7 100644 --- a/backend/test/end2end/e2e_suite_test.go +++ b/backend/test/end2end/e2e_suite_test.go @@ -135,7 +135,6 @@ var _ = BeforeSuite(func() { }) var _ = BeforeEach(func() { - // Create Experiment so that we can use it to associate pipeline runs with experimentName := fmt.Sprintf("E2EExperiment-%s", strconv.FormatInt(time.Now().UnixNano(), 10)) experiment := testutil.CreateExperiment(experimentClient, experimentName, testutil.GetNamespace()) diff --git a/backend/test/end2end/utils/e2e_utils.go b/backend/test/end2end/utils/e2e_utils.go index 96d5cf78c73..1ef0546e606 100644 --- a/backend/test/end2end/utils/e2e_utils.go +++ b/backend/test/end2end/utils/e2e_utils.go @@ -5,6 +5,7 @@ import ( "fmt" "maps" "sort" + "strings" "time" runparams "github.com/kubeflow/pipelines/backend/api/v2beta1/go_http_client/run_client/run_service" @@ -74,7 +75,8 @@ func ValidateComponentStatuses(runClient *apiserver.RunClient, k8Client *kuberne logger.Log("Updated pipeline run details") expectedTaskDetails := GetTasksFromWorkflow(compiledWorkflow) if *updatedRun.State == run_model.V2beta1RuntimeStateRUNNING { - logger.Log("Pipeline run did not finish, checking workflow controller logs") + logger.Log("Pipeline run did not finish") + logger.Log("Checking workflow controller logs") podLog := testutil.ReadContainerLogs(k8Client, *config.Namespace, "workflow-controller", nil, &testContext.TestStartTimeUTC, config.PodLogLimit) logger.Log("Attaching Workflow Controller logs to the report") ginkgo.AddReportEntry("Workflow Controller Logs", podLog) @@ -83,6 +85,10 @@ func ValidateComponentStatuses(runClient *apiserver.RunClient, k8Client *kuberne } else { if *updatedRun.State != run_model.V2beta1RuntimeStateSUCCEEDED { logger.Log("Looks like the run %s FAILED, so capture pod logs for the failed task", runID) + logger.Log("Checking workflow controller logs") + podLog := testutil.ReadContainerLogs(k8Client, *config.Namespace, "workflow-controller", nil, &testContext.TestStartTimeUTC, config.PodLogLimit) + logger.Log("Attaching Workflow Controller logs to the report") + ginkgo.AddReportEntry("Workflow Controller Logs", podLog) CapturePodLogsForUnsuccessfulTasks(k8Client, testContext, actualTaskDetails) ginkgo.Fail("Failing test because the pipeline run was not SUCCESSFUL") } else { @@ -121,11 +127,24 @@ func CapturePodLogsForUnsuccessfulTasks(k8Client *kubernetes.Clientset, testCont } case run_model.V2beta1RuntimeStateFAILED: { + agentLogsNotYetAcquired := true logger.Log("%s - Task %s for Run %s did not complete successfully", *task.State, task.DisplayName, task.RunID) for _, childTask := range task.ChildTasks { podName := childTask.PodName + isDriver := strings.Contains(task.DisplayName, "-driver") if podName != "" { - logger.Log("Capturing pod logs for task %s, with pod name %s", task.DisplayName, podName) + if isDriver { + if agentLogsNotYetAcquired { + logger.Log("Capturing pod logs for task executor agent, with pod name %s", podName) + podName += "-agent" + agentLogsNotYetAcquired = false + } else { + logger.Log("Logs from agent pod was already captured") + continue + } + } else { + logger.Log("Capturing pod logs for task %s, with pod name %s", task.DisplayName, podName) + } podLog := testutil.ReadPodLogs(k8Client, *config.Namespace, podName, nil, &testContext.TestStartTimeUTC, config.PodLogLimit) logger.Log("Pod logs captured for task %s in pod %s", task.DisplayName, podName) logger.Log("Attaching pod logs to the report") diff --git a/backend/test/testutil/kubernetes_utils.go b/backend/test/testutil/kubernetes_utils.go index fa02c477d3c..9e1acbebf0c 100644 --- a/backend/test/testutil/kubernetes_utils.go +++ b/backend/test/testutil/kubernetes_utils.go @@ -25,7 +25,6 @@ import ( "github.com/kubeflow/pipelines/backend/src/common/util" "github.com/kubeflow/pipelines/backend/test/logger" - "github.com/onsi/gomega" authenticationv1 "k8s.io/api/authentication/v1" v1 "k8s.io/api/core/v1" diff --git a/frontend/src/components/tabs/RuntimeNodeDetailsV2.tsx b/frontend/src/components/tabs/RuntimeNodeDetailsV2.tsx index d52d92282f0..f986823cb6e 100644 --- a/frontend/src/components/tabs/RuntimeNodeDetailsV2.tsx +++ b/frontend/src/components/tabs/RuntimeNodeDetailsV2.tsx @@ -62,6 +62,9 @@ import { getComponentSpec } from 'src/lib/v2/NodeUtils'; export const LOGS_DETAILS = 'logs_details'; export const LOGS_BANNER_MESSAGE = 'logs_banner_message'; export const LOGS_BANNER_ADDITIONAL_INFO = 'logs_banner_additional_info'; +export const SYS_LOGS_DETAILS = 'sys_log_details'; +export const SYS_LOGS_BANNER_MESSAGE = 'sys_logs_banner_message'; +export const SYS_LOGS_BANNER_ADDITIONAL_INFO = 'sys_logs_banner_additional_info'; export const K8S_PLATFORM_KEY = 'kubernetes'; const NODE_INFO_UNKNOWN = ( @@ -166,16 +169,30 @@ function TaskNodeDetail({ enabled: !!execution, }); + const { data: driverLogsInfo } = useQuery({ + queryKey: queryKeys.driverLogs(execution?.getId(), namespace), + queryFn: async (): Promise> => { + if (!execution) { + throw new Error('No execution is found.'); + } + return getDriverLogsInfo(execution, namespace); + }, + enabled: !!execution, + }); + const logsDetails = logsInfo?.get(LOGS_DETAILS); const logsBannerMessage = logsInfo?.get(LOGS_BANNER_MESSAGE); const logsBannerAdditionalInfo = logsInfo?.get(LOGS_BANNER_ADDITIONAL_INFO); + const sysLogDetails = driverLogsInfo?.get(SYS_LOGS_DETAILS); + const sysLogsBannerMessage = driverLogsInfo?.get(SYS_LOGS_BANNER_MESSAGE); + const sysLogsBannerAdditionalInfo = driverLogsInfo?.get(SYS_LOGS_BANNER_ADDITIONAL_INFO); const [selectedTab, setSelectedTab] = useState(0); return (
setSelectedTab(tab)} /> @@ -214,6 +231,24 @@ function TaskNodeDetail({ )}
)} + {/* System Logs tab */} + {selectedTab === 3 && ( +
+ {sysLogsBannerMessage && ( + + + + )} + {!sysLogsBannerMessage && ( +
+ +
+ )} +
+ )} ); @@ -301,6 +336,51 @@ function getNodeVolumeMounts( return volumeMounts; } +async function getDriverLogsInfo( + execution: Execution, + namespace?: string, +): Promise> { + const logsInfo = new Map(); + let podNameSpace = ''; + let logsDetails = ''; + let logsBannerMessage = ''; + let logsBannerAdditionalInfo = ''; + const customPropertiesMap = execution.getCustomPropertiesMap(); + + if (execution) { + podNameSpace = customPropertiesMap.get('namespace')?.getStringValue() || ''; + } + + try { + const driverLogUri = customPropertiesMap.get('driver_logs_uri')?.getStringValue(); + const storeSessionInfo = customPropertiesMap.get('store_session_info')?.getStringValue(); + + if (driverLogUri && storeSessionInfo) { + const storagePath = WorkflowParser.parseStoragePath(driverLogUri); + const providerInfo = storeSessionInfo; + const artifactNamespace = namespace || podNameSpace; + + logsDetails = await Apis.readFile({ + path: storagePath, + providerInfo: providerInfo, + namespace: artifactNamespace, + }); + logsInfo.set(SYS_LOGS_DETAILS, logsDetails); + return logsInfo; + } + } catch (artifactErr) { + let errMsg = await errorToMessage(artifactErr); + logsBannerMessage = 'Failed to retrieve pod logs.'; + logsInfo.set(SYS_LOGS_BANNER_MESSAGE, logsBannerMessage); + logsBannerAdditionalInfo = 'Error response: ' + errMsg; + logsInfo.set(SYS_LOGS_BANNER_ADDITIONAL_INFO, logsBannerAdditionalInfo); + + console.error('Failed to retrieve driver-logs artifact:', artifactErr); + } + + return logsInfo; +} + async function getLogsInfo( execution: Execution, runId?: string, diff --git a/frontend/src/hooks/queryKeys.ts b/frontend/src/hooks/queryKeys.ts index cc70d74effd..faa3a0bccb8 100644 --- a/frontend/src/hooks/queryKeys.ts +++ b/frontend/src/hooks/queryKeys.ts @@ -65,6 +65,9 @@ export const queryKeys = { executionLogs: (executionId: number | undefined, namespace: string | undefined) => ['execution_logs', { executionId, namespace }] as const, + driverLogs: (executionId: number | undefined, namespace: string | undefined) => + ['driver-logs', { executionId, namespace }] as const, + contextByExecution: (executionId: number, executionState: number) => ['context_by_execution', { id: executionId, state: executionState }] as const, diff --git a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/deployment.yaml b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/deployment.yaml index 3652a67305f..6c348f015a3 100644 --- a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/deployment.yaml +++ b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/deployment.yaml @@ -9,6 +9,7 @@ spec: labels: sidecar.istio.io/inject: "false" spec: + serviceAccountName: pipelines-profile-controller-admin securityContext: runAsNonRoot: true seccompProfile: @@ -27,7 +28,14 @@ spec: type: RuntimeDefault # We just need an image with the python botocore library installed image: docker.io/alpine/k8s:1.32.3 - command: ["python", "/hooks/sync.py"] + command: + - sh + - -c + - | + python3 -m venv /tmp/venv && \ + . /tmp/venv/bin/activate && \ + pip install --no-cache-dir kubernetes boto3 && \ + python /hooks/sync.py envFrom: - configMapRef: name: kubeflow-pipelines-profile-controller-env diff --git a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml index fdb0de23324..182a8a31619 100644 --- a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml +++ b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml @@ -5,6 +5,7 @@ resources: - service.yaml - deployment.yaml - decorator-controller.yaml +- pipelines-profile-controller-admin.yaml configMapGenerator: - files: - sync.py diff --git a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/pipelines-profile-controller-admin.yaml b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/pipelines-profile-controller-admin.yaml new file mode 100644 index 00000000000..5dfcd3bc206 --- /dev/null +++ b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/pipelines-profile-controller-admin.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pipelines-profile-controller-admin + namespace: kubeflow +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pipelines-profile-controller-admin-clusterrole +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "create", "get", "list" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pipelines-profile-controller-admin-binding +subjects: + - kind: ServiceAccount + name: pipelines-profile-controller-admin + namespace: kubeflow +roleRef: + kind: ClusterRole + name: pipelines-profile-controller-admin-clusterrole + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py index 12fa8bd1926..bc7f0dc8374 100644 --- a/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py +++ b/manifests/kustomize/base/installs/multi-user/pipelines-profile-controller/sync.py @@ -17,6 +17,8 @@ import os import base64 import hashlib +from kubernetes import client, config +from kubernetes.client.rest import ApiException # From awscli installed in alpine/k8s image import botocore.session @@ -173,6 +175,81 @@ def upsert_lifecycle_policy(self, bucket_name, artifact_retention_days): else: print(f"ERROR: Failed to configure lifecycle policy: {exception}") + def create_role_and_binding(self, rbac_v1, namespace, role_name, sa_name, resources, verbs, resource_names=None): + # Configures necessary roles for the driver executor plugin + role = client.V1Role( + metadata=client.V1ObjectMeta( + name=role_name, + namespace=namespace + ), + rules=[ + client.V1PolicyRule( + api_groups=[""], + resources=resources, + resource_names=resource_names, + verbs=verbs + ) + ] + ) + rbac_v1.create_namespaced_role(namespace=namespace, body=role) + print(f"Role {role_name} created in {namespace}") + + role_binding_name = f"{role_name}-binding" + role_binding = client.V1RoleBinding( + metadata=client.V1ObjectMeta( + name=role_binding_name, + namespace=namespace + ), + subjects=[ + { + "kind": "ServiceAccount", + "name": sa_name, + "namespace": namespace, + "apiGroup": "" + } + ], + role_ref=client.V1RoleRef( + kind="Role", + name=role_name, + api_group="rbac.authorization.k8s.io" + ) + ) + rbac_v1.create_namespaced_role_binding(namespace=namespace, body=role_binding) + print(f"RoleBinding {role_binding_name} created in {namespace}") + + def upsert_executor_plugin_sa(self, namespace): + print('create executor plugin SAs for: ', namespace) + try: + config.load_incluster_config() + except: + config.load_kube_config() + core_v1 = client.CoreV1Api() + rbac_v1 = client.RbacAuthorizationV1Api() + agent_sa_name = "ml-pipeline-driver-agent-executor-plugin" + try: + core_v1.create_namespaced_service_account( + namespace=namespace, + body=client.V1ServiceAccount( + metadata=client.V1ObjectMeta( + name=agent_sa_name, + labels={"application-crd-id": "kubeflow-pipelines"}, + ) + ) + ) + print(f"ServiceAccount {agent_sa_name} created in {namespace}") + + agent_sa_name = "ml-pipeline-driver-agent-executor-plugin" + self.create_role_and_binding(rbac_v1=rbac_v1, namespace=namespace, role_name='configmap-reader', resources=["configmaps"], sa_name=agent_sa_name, verbs=["get", "list", "watch"]) + self.create_role_and_binding(rbac_v1=rbac_v1, namespace=namespace, role_name='ml-pipeline-driver-pods-reader', resources=["pods"], sa_name=agent_sa_name, verbs=["get", "list", "watch"]) + self.create_role_and_binding(rbac_v1=rbac_v1, namespace=namespace, role_name='ml-pipeline-driver-pvc-editor', resources=["persistentvolumeclaims"], sa_name=agent_sa_name, verbs=["create", "get", "list"]) + self.create_role_and_binding(rbac_v1=rbac_v1, namespace=namespace, role_name='artifact-secret-reader', resources=["secrets"], sa_name=agent_sa_name, verbs=["get", "list", "watch"], resource_names=["mlpipeline-minio-artifact"]) + except ApiException as e: + if e.status == 409: + print(f"ServiceAccount {agent_sa_name} already exists in {namespace}") + else: + print(f"Failed to create ServiceAccount {agent_sa_name}: {e}") + except Exception as e: + print(f"Unexpected error during the update sa in: {namespace} {e}") def sync(self, parent, attachments): # parent is a namespace @@ -194,6 +271,9 @@ def sync(self, parent, attachments): "True" or "False" } + + self.upsert_executor_plugin_sa(namespace) + # Generate the desired attachment object(s). desired_resources = [ { @@ -253,7 +333,6 @@ def sync(self, parent, attachments): }, ] - # Add artifact fetcher related resources if enabled if artifacts_proxy_enabled.lower() == "true": desired_resources.extend([ { @@ -370,6 +449,37 @@ def sync(self, parent, attachments): }, ]) + print('Creating executor-plugin service accounts') + # Argo Workflow Executor Plugin Necessary Resources + agent_sa_name = "ml-pipeline-driver-agent-executor-plugin" + secret_name = f"{agent_sa_name}.service-account-token" + desired_resources.extend([ + { + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": "default-editor.service-account-token", + "namespace": namespace, + "annotations": { + "kubernetes.io/service-account.name": "default-editor" + } + }, + "type": "kubernetes.io/service-account-token" + }, + { + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": secret_name, + "namespace": namespace, + "annotations": { + "kubernetes.io/service-account.name": agent_sa_name, + }, + }, + "type": "kubernetes.io/service-account-token", + }, + ]) + print('Received request:\n', json.dumps(parent, sort_keys=True)) print('Desired resources except secrets:\n', json.dumps(desired_resources, sort_keys=True)) diff --git a/manifests/kustomize/base/pipeline/kustomization.yaml b/manifests/kustomize/base/pipeline/kustomization.yaml index f5e65af608c..5f83941b698 100644 --- a/manifests/kustomize/base/pipeline/kustomization.yaml +++ b/manifests/kustomize/base/pipeline/kustomization.yaml @@ -34,6 +34,7 @@ resources: - container-builder-sa.yaml - viewer-sa.yaml - kfp-launcher-configmap.yaml + - ml-pipeline-driver-plugin-cm.yaml - public_configmap_role.yaml - public_configmap_role_binding.yaml configMapGenerator: diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-driver-plugin-cm.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-driver-plugin-cm.yaml new file mode 100644 index 00000000000..17756563d51 --- /dev/null +++ b/manifests/kustomize/base/pipeline/ml-pipeline-driver-plugin-cm.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-driver-agent + labels: + workflows.argoproj.io/configmap-type: ExecutorPlugin +data: + sidecar.automountServiceAccountToken: "true" + sidecar.container: | + name: driver-plugin + image: ghcr.io/kubeflow/kfp-driver:dummy + imagePullPolicy: IfNotPresent + env: + - name: LOG_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: LOG_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + ports: + - containerPort: 8080 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: var-run-argo + mountPath: /kfp/log + readOnly: false diff --git a/manifests/kustomize/base/pipeline/pipeline-runner-role.yaml b/manifests/kustomize/base/pipeline/pipeline-runner-role.yaml index eba0ee9f2d6..7b6f3c2da96 100644 --- a/manifests/kustomize/base/pipeline/pipeline-runner-role.yaml +++ b/manifests/kustomize/base/pipeline/pipeline-runner-role.yaml @@ -36,12 +36,16 @@ rules: - argoproj.io resources: - workflows + - workflowtaskresults + - workflowtasksets + - "workflowtasksets/status" verbs: - get - - list + - create + - patch - watch + - list - update - - patch - apiGroups: - "" resources: @@ -85,3 +89,112 @@ rules: verbs: - create - patch + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-driver-agent-executor-plugin + labels: + application-crd-id: kubeflow-pipelines +secrets: + - name: ml-pipeline-driver-agent-executor-plugin.service-account-token +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ml-pipeline-driver-pods-viewer + namespace: kubeflow +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ml-pipeline-driver-pods-viewer-binding +subjects: + - kind: ServiceAccount + name: ml-pipeline-driver-agent-executor-plugin +roleRef: + kind: Role + name: ml-pipeline-driver-pods-viewer + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ml-pipeline-driver-pvc-editor + namespace: kubeflow +rules: + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ml-pipeline-driver-pvc-editor-binding +subjects: + - kind: ServiceAccount + name: ml-pipeline-driver-agent-executor-plugin +roleRef: + kind: Role + name: ml-pipeline-driver-pvc-editor + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: Secret +metadata: + name: ml-pipeline-driver-agent-executor-plugin.service-account-token + annotations: + kubernetes.io/service-account.name: ml-pipeline-driver-agent-executor-plugin +type: kubernetes.io/service-account-token + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: configmap-reader +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: configmap-reader-binding +subjects: + - kind: ServiceAccount + name: ml-pipeline-driver-agent-executor-plugin +roleRef: + kind: Role + name: configmap-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: artifact-secret-reader + namespace: kubeflow +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["mlpipeline-minio-artifact"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: artifact-secret-reader-binding + namespace: kubeflow +subjects: + - kind: ServiceAccount + name: ml-pipeline-driver-agent-executor-plugin + namespace: kubeflow +roleRef: + kind: Role + name: artifact-secret-reader + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/manifests/kustomize/base/pipeline/pipeline-runner-sa.yaml b/manifests/kustomize/base/pipeline/pipeline-runner-sa.yaml index 8cb2c669fb2..e1f42088371 100644 --- a/manifests/kustomize/base/pipeline/pipeline-runner-sa.yaml +++ b/manifests/kustomize/base/pipeline/pipeline-runner-sa.yaml @@ -2,3 +2,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: pipeline-runner + +--- +apiVersion: v1 +kind: Secret +metadata: + name: pipeline-runner.service-account-token + annotations: + kubernetes.io/service-account.name: pipeline-runner +type: kubernetes.io/service-account-token diff --git a/manifests/kustomize/env/cert-manager/base-tls-certs/kfp-api-cert.yaml b/manifests/kustomize/env/cert-manager/base-tls-certs/kfp-api-cert.yaml index 8dcdf1c623c..47edb66303a 100644 --- a/manifests/kustomize/env/cert-manager/base-tls-certs/kfp-api-cert.yaml +++ b/manifests/kustomize/env/cert-manager/base-tls-certs/kfp-api-cert.yaml @@ -23,4 +23,6 @@ spec: issuerRef: kind: Issuer name: kfp-api-tls-selfsigned-issuer - secretName: kfp-api-tls-cert + # Unfortunately, Argo Workflows (for security reasons) can mount certificates + # into the agent only from a Secret with a predefined name `argo-workflows-agent-ca-certificates` + secretName: argo-workflows-agent-ca-certificates \ No newline at end of file diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/kustomization.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/kustomization.yaml index dbd6a30d394..43397c3d2fa 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/kustomization.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/kustomization.yaml @@ -42,6 +42,10 @@ patches: target: kind: Deployment name: ml-pipeline-persistenceagent + - path: patches/ml-pipeline-driver-plugin-cm.yaml + target: + kind: ConfigMap + name: ml-pipeline-driver-agent - path: patches/ml-pipeline-ui-deployment.yaml target: kind: Deployment diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-envoy-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-envoy-deployment.yaml index 0fa72587d37..c6a99880058 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-envoy-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-envoy-deployment.yaml @@ -20,7 +20,7 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates - name: envoy-config-tls-enabled configMap: name: envoy-config diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-grpc-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-grpc-deployment.yaml index 4bc193483d7..e6af2e5f545 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-grpc-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-grpc-deployment.yaml @@ -10,7 +10,7 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates - name: grpc-tls-config emptyDir: { } - name: mysql-secret diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-writer-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-writer-deployment.yaml index 1c651cc3b4b..f5f72c4b111 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-writer-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/metadata-writer-deployment.yaml @@ -19,4 +19,4 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-apiserver-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-apiserver-deployment.yaml index fef772368b5..59d268fe922 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-apiserver-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-apiserver-deployment.yaml @@ -17,7 +17,7 @@ spec: - "--tlsCertKeyPath=/etc/pki/tls/certs/tls.key" env: - name: CABUNDLE_SECRET_NAME - value: "kfp-api-tls-cert" + value: "argo-workflows-agent-ca-certificates" - name: METADATA_TLS_ENABLED value: "true" - name: ML_PIPELINE_SERVICE_HOST @@ -53,4 +53,4 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-driver-plugin-cm.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-driver-plugin-cm.yaml new file mode 100644 index 00000000000..6d88ee499e1 --- /dev/null +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-driver-plugin-cm.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-driver-agent +data: + sidecar.automountServiceAccountToken: "true" + sidecar.container: | + name: driver-plugin + image: ghcr.io/kubeflow/kfp-driver:dummy + env: + - name: LOG_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: LOG_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + ports: + - containerPort: 8080 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: argo-workflows-agent-ca-certificates + mountPath: /kfp/certs + readOnly: true + - name: var-run-argo + mountPath: /kfp/log + readOnly: false diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-persistenceagent-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-persistenceagent-deployment.yaml index fccb9d2fedc..73f64d3ac06 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-persistenceagent-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-persistenceagent-deployment.yaml @@ -35,4 +35,4 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-scheduledworkflow-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-scheduledworkflow-deployment.yaml index 301ca3bb816..7c08cb7d4af 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-scheduledworkflow-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-scheduledworkflow-deployment.yaml @@ -22,4 +22,4 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-ui-deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-ui-deployment.yaml index cf7775542b2..aed2004e31c 100644 --- a/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-ui-deployment.yaml +++ b/manifests/kustomize/env/cert-manager/platform-agnostic-standalone-tls/patches/ml-pipeline-ui-deployment.yaml @@ -30,4 +30,4 @@ spec: volumes: - name: tls-certs secret: - secretName: kfp-api-tls-cert + secretName: argo-workflows-agent-ca-certificates diff --git a/manifests/kustomize/env/dev/driver-plugin-cm-path.yaml b/manifests/kustomize/env/dev/driver-plugin-cm-path.yaml new file mode 100644 index 00000000000..02e10ab683e --- /dev/null +++ b/manifests/kustomize/env/dev/driver-plugin-cm-path.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ml-pipeline-driver-agent +data: + sidecar.container: | + name: driver-plugin + image: ghcr.io/kubeflow/kfp-driver:master + env: + - name: LOG_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: LOG_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + ports: + - containerPort: 8080 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: var-run-argo + mountPath: /kfp/log + readOnly: false diff --git a/manifests/kustomize/env/dev/kustomization.yaml b/manifests/kustomize/env/dev/kustomization.yaml index f2ed5ddabf1..50a263096b8 100644 --- a/manifests/kustomize/env/dev/kustomization.yaml +++ b/manifests/kustomize/env/dev/kustomization.yaml @@ -11,6 +11,8 @@ resources: images: - name: ghcr.io/kubeflow/kfp-api-server newTag: master +- name: ghcr.io/kubeflow/kfp-driver + newTag: master - name: ghcr.io/kubeflow/kfp-frontend newTag: master - name: ghcr.io/kubeflow/kfp-persistence-agent @@ -34,6 +36,7 @@ images: patches: - path: api-server-patch.yaml + - path: driver-plugin-cm-path.yaml # !!! If you want to customize the namespace, # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources namespace: kubeflow diff --git a/manifests/kustomize/third-party/application/application-controller-deployment.yaml b/manifests/kustomize/third-party/application/application-controller-deployment.yaml index 1f1c589aaef..63497ef2c32 100644 --- a/manifests/kustomize/third-party/application/application-controller-deployment.yaml +++ b/manifests/kustomize/third-party/application/application-controller-deployment.yaml @@ -34,5 +34,5 @@ spec: memory: 30Mi requests: cpu: 100m - memory: 20Mi + memory: 64Mi serviceAccountName: application diff --git a/manifests/kustomize/third-party/argo/base/kustomization.yaml b/manifests/kustomize/third-party/argo/base/kustomization.yaml index bddc0c22226..a342bd907b9 100644 --- a/manifests/kustomize/third-party/argo/base/kustomization.yaml +++ b/manifests/kustomize/third-party/argo/base/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/argoproj/argo-workflows/manifests/base/workflow-controller?ref=v3.7.3 +- workflow-controller-argo-taskset-clusterrole-.yaml patches: - path: workflow-controller-deployment-patch.yaml diff --git a/manifests/kustomize/third-party/argo/base/workflow-controller-argo-taskset-clusterrole-.yaml b/manifests/kustomize/third-party/argo/base/workflow-controller-argo-taskset-clusterrole-.yaml new file mode 100644 index 00000000000..18a0d260140 --- /dev/null +++ b/manifests/kustomize/third-party/argo/base/workflow-controller-argo-taskset-clusterrole-.yaml @@ -0,0 +1,24 @@ +# Argo Workflow and the Agent communicate via the new WorkflowTaskSet CR, +# so RBAC permissions are required for this resource. +# Details: https://argo-workflows.readthedocs.io/en/latest/http-template/#argo-agent-rbac +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-workflowtaskset-status +rules: + - apiGroups: ["argoproj.io"] + resources: ["workflowtasksets/status", "workflowtasksets"] + verbs: ["get","list","watch","update","patch","delete","create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-workflowtaskset-status-binding +subjects: + - kind: ServiceAccount + name: argo + namespace: kubeflow +roleRef: + kind: ClusterRole + name: argo-workflowtaskset-status + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml b/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml index abeec455e3d..d13da9e498f 100644 --- a/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml +++ b/manifests/kustomize/third-party/argo/base/workflow-controller-deployment-patch.yaml @@ -17,6 +17,12 @@ spec: - workflow-controller-configmap - --executor-image - quay.io/argoproj/argoexec:v3.7.3 + env: + # https://argo-workflows.readthedocs.io/en/latest/environment-variables/ + - name: ARGO_EXECUTOR_PLUGINS + value: "true" + - name: DEFAULT_REQUEUE_TIME + value: "6s" securityContext: readOnlyRootFilesystem: true runAsNonRoot: true diff --git a/manifests/kustomize/third-party/argo/installs/namespace/kustomization.yaml b/manifests/kustomize/third-party/argo/installs/namespace/kustomization.yaml index 90b8eea8588..cfb8c5b0595 100644 --- a/manifests/kustomize/third-party/argo/installs/namespace/kustomization.yaml +++ b/manifests/kustomize/third-party/argo/installs/namespace/kustomization.yaml @@ -15,4 +15,4 @@ patches: group: apps kind: Deployment name: workflow-controller - version: v1 + version: v1 \ No newline at end of file diff --git a/manifests/kustomize/third-party/argo/installs/namespace/workflow-controller-argo-role-patch.json b/manifests/kustomize/third-party/argo/installs/namespace/workflow-controller-argo-role-patch.json new file mode 100644 index 00000000000..f0ca733247f --- /dev/null +++ b/manifests/kustomize/third-party/argo/installs/namespace/workflow-controller-argo-role-patch.json @@ -0,0 +1,11 @@ +[ + { + "op": "add", + "path": "/rules/-", + "value": { + "apiGroups": ["argoproj.io"], + "resources": ["workflowtasksets/status"], + "verbs": ["get","list","watch","update","patch","delete","create"] + } + } +] \ No newline at end of file diff --git a/test_data/compiled-workflows/add_numbers.yaml b/test_data/compiled-workflows/add_numbers.yaml index 62aa216be99..5d34296fa04 100644 --- a/test_data/compiled-workflows/add_numbers.yaml +++ b/test_data/compiled-workflows/add_numbers.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: add-numbers- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - add-numbers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: add-numbers + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - add-numbers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: add-numbers + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/arguments-parameters.yaml b/test_data/compiled-workflows/arguments-parameters.yaml deleted file mode 100644 index 5d6a324eff3..00000000000 --- a/test_data/compiled-workflows/arguments-parameters.yaml +++ /dev/null @@ -1,334 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Workflow -metadata: - creationTimestamp: null - generateName: echo- -spec: - arguments: - parameters: - - name: components-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483 - value: '{"executorLabel":"exec-echo","inputDefinitions":{"parameters":{"param1":{"parameterType":"STRING"},"param2":{"parameterType":"STRING"}}}}' - - name: implementations-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483 - value: '{"args":["{{$.inputs.parameters[''param1'']}}-{{$.inputs.parameters[''param2'']}}"],"command":["echo"],"image":"public.ecr.aws/docker/library/python:3.12"}' - - name: components-root - value: '{"dag":{"tasks":{"echo":{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"inputs":{"parameters":{"param1":{"componentInputParameter":"param1"},"param2":{"componentInputParameter":"param2"}}},"taskInfo":{"name":"echo"}}}},"inputDefinitions":{"parameters":{"param1":{"defaultValue":"hello","parameterType":"STRING"},"param2":{"parameterType":"STRING"}}}}' - entrypoint: entrypoint - podMetadata: - annotations: - pipelines.kubeflow.org/v2_component: "true" - labels: - pipelines.kubeflow.org/v2_component: "true" - serviceAccountName: pipeline-runner - templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - name: task - - name: container - - name: task-name - - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: "" - name: kubernetes-config - metadata: {} - name: system-container-driver - outputs: - parameters: - - name: pod-spec-patch - valueFrom: - default: "" - path: /tmp/outputs/pod-spec-patch - - default: "false" - name: cached-decision - valueFrom: - default: "false" - path: /tmp/outputs/cached-decision - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: pod-spec-patch - value: '{{inputs.parameters.pod-spec-patch}}' - name: executor - template: system-container-impl - when: '{{inputs.parameters.cached-decision}} != true' - inputs: - parameters: - - name: pod-spec-patch - - default: "false" - name: cached-decision - metadata: {} - name: system-container-executor - outputs: {} - - container: - command: - - should-be-overridden-during-runtime - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - envFrom: - - configMapRef: - name: metadata-grpc-configmap - optional: true - image: gcr.io/ml-pipeline/should-be-overridden-during-runtime - name: "" - resources: {} - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - - mountPath: /gcs - name: gcs-scratch - - mountPath: /s3 - name: s3-scratch - - mountPath: /minio - name: minio-scratch - - mountPath: /.local - name: dot-local-scratch - - mountPath: /.cache - name: dot-cache-scratch - - mountPath: /.config - name: dot-config-scratch - initContainers: - - args: - - --copy - - /kfp-launcher/launch - command: - - launcher-v2 - image: ghcr.io/kubeflow/kfp-launcher:latest - name: kfp-launcher - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - inputs: - parameters: - - name: pod-spec-patch - metadata: {} - name: system-container-impl - outputs: {} - podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' - volumes: - - emptyDir: {} - name: kfp-launcher - - emptyDir: {} - name: gcs-scratch - - emptyDir: {} - name: s3-scratch - - emptyDir: {} - name: minio-scratch - - emptyDir: {} - name: dot-local-scratch - - emptyDir: {} - name: dot-cache-scratch - - emptyDir: {} - name: dot-config-scratch - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483}}' - - name: task - value: '{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"inputs":{"parameters":{"param1":{"componentInputParameter":"param1"},"param2":{"componentInputParameter":"param2"}}},"taskInfo":{"name":"echo"}}' - - name: container - value: '{{workflow.parameters.implementations-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483}}' - - name: task-name - value: echo - - name: parent-dag-id - value: '{{inputs.parameters.parent-dag-id}}' - name: echo-driver - template: system-container-driver - - arguments: - parameters: - - name: pod-spec-patch - value: '{{tasks.echo-driver.outputs.parameters.pod-spec-patch}}' - - default: "false" - name: cached-decision - value: '{{tasks.echo-driver.outputs.parameters.cached-decision}}' - depends: echo-driver.Succeeded - name: echo - template: system-container-executor - inputs: - parameters: - - name: parent-dag-id - metadata: {} - name: root - outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - default: "" - name: runtime-config - - default: "" - name: task - - default: "" - name: task-name - - default: "0" - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: DAG - name: driver-type - metadata: {} - name: system-dag-driver - outputs: - parameters: - - name: execution-id - valueFrom: - path: /tmp/outputs/execution-id - - name: iteration-count - valueFrom: - default: "0" - path: /tmp/outputs/iteration-count - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-root}}' - - name: runtime-config - value: '{"parameterValues":{"param1":"hello"}}' - - name: driver-type - value: ROOT_DAG - name: root-driver - template: system-dag-driver - - arguments: - parameters: - - name: parent-dag-id - value: '{{tasks.root-driver.outputs.parameters.execution-id}}' - - name: condition - value: "" - depends: root-driver.Succeeded - name: root - template: root - inputs: {} - metadata: {} - name: entrypoint - outputs: {} -status: - finishedAt: null - startedAt: null diff --git a/test_data/compiled-workflows/arguments.pipeline.yaml b/test_data/compiled-workflows/arguments.pipeline.yaml deleted file mode 100644 index 5d6a324eff3..00000000000 --- a/test_data/compiled-workflows/arguments.pipeline.yaml +++ /dev/null @@ -1,334 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Workflow -metadata: - creationTimestamp: null - generateName: echo- -spec: - arguments: - parameters: - - name: components-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483 - value: '{"executorLabel":"exec-echo","inputDefinitions":{"parameters":{"param1":{"parameterType":"STRING"},"param2":{"parameterType":"STRING"}}}}' - - name: implementations-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483 - value: '{"args":["{{$.inputs.parameters[''param1'']}}-{{$.inputs.parameters[''param2'']}}"],"command":["echo"],"image":"public.ecr.aws/docker/library/python:3.12"}' - - name: components-root - value: '{"dag":{"tasks":{"echo":{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"inputs":{"parameters":{"param1":{"componentInputParameter":"param1"},"param2":{"componentInputParameter":"param2"}}},"taskInfo":{"name":"echo"}}}},"inputDefinitions":{"parameters":{"param1":{"defaultValue":"hello","parameterType":"STRING"},"param2":{"parameterType":"STRING"}}}}' - entrypoint: entrypoint - podMetadata: - annotations: - pipelines.kubeflow.org/v2_component: "true" - labels: - pipelines.kubeflow.org/v2_component: "true" - serviceAccountName: pipeline-runner - templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - name: task - - name: container - - name: task-name - - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: "" - name: kubernetes-config - metadata: {} - name: system-container-driver - outputs: - parameters: - - name: pod-spec-patch - valueFrom: - default: "" - path: /tmp/outputs/pod-spec-patch - - default: "false" - name: cached-decision - valueFrom: - default: "false" - path: /tmp/outputs/cached-decision - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: pod-spec-patch - value: '{{inputs.parameters.pod-spec-patch}}' - name: executor - template: system-container-impl - when: '{{inputs.parameters.cached-decision}} != true' - inputs: - parameters: - - name: pod-spec-patch - - default: "false" - name: cached-decision - metadata: {} - name: system-container-executor - outputs: {} - - container: - command: - - should-be-overridden-during-runtime - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - envFrom: - - configMapRef: - name: metadata-grpc-configmap - optional: true - image: gcr.io/ml-pipeline/should-be-overridden-during-runtime - name: "" - resources: {} - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - - mountPath: /gcs - name: gcs-scratch - - mountPath: /s3 - name: s3-scratch - - mountPath: /minio - name: minio-scratch - - mountPath: /.local - name: dot-local-scratch - - mountPath: /.cache - name: dot-cache-scratch - - mountPath: /.config - name: dot-config-scratch - initContainers: - - args: - - --copy - - /kfp-launcher/launch - command: - - launcher-v2 - image: ghcr.io/kubeflow/kfp-launcher:latest - name: kfp-launcher - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - inputs: - parameters: - - name: pod-spec-patch - metadata: {} - name: system-container-impl - outputs: {} - podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' - volumes: - - emptyDir: {} - name: kfp-launcher - - emptyDir: {} - name: gcs-scratch - - emptyDir: {} - name: s3-scratch - - emptyDir: {} - name: minio-scratch - - emptyDir: {} - name: dot-local-scratch - - emptyDir: {} - name: dot-cache-scratch - - emptyDir: {} - name: dot-config-scratch - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483}}' - - name: task - value: '{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"inputs":{"parameters":{"param1":{"componentInputParameter":"param1"},"param2":{"componentInputParameter":"param2"}}},"taskInfo":{"name":"echo"}}' - - name: container - value: '{{workflow.parameters.implementations-e3bf4dafebca73c53759f2310029cb3fc65ab6a05d870069f7c58096ff7bb483}}' - - name: task-name - value: echo - - name: parent-dag-id - value: '{{inputs.parameters.parent-dag-id}}' - name: echo-driver - template: system-container-driver - - arguments: - parameters: - - name: pod-spec-patch - value: '{{tasks.echo-driver.outputs.parameters.pod-spec-patch}}' - - default: "false" - name: cached-decision - value: '{{tasks.echo-driver.outputs.parameters.cached-decision}}' - depends: echo-driver.Succeeded - name: echo - template: system-container-executor - inputs: - parameters: - - name: parent-dag-id - metadata: {} - name: root - outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - default: "" - name: runtime-config - - default: "" - name: task - - default: "" - name: task-name - - default: "0" - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: DAG - name: driver-type - metadata: {} - name: system-dag-driver - outputs: - parameters: - - name: execution-id - valueFrom: - path: /tmp/outputs/execution-id - - name: iteration-count - valueFrom: - default: "0" - path: /tmp/outputs/iteration-count - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-root}}' - - name: runtime-config - value: '{"parameterValues":{"param1":"hello"}}' - - name: driver-type - value: ROOT_DAG - name: root-driver - template: system-dag-driver - - arguments: - parameters: - - name: parent-dag-id - value: '{{tasks.root-driver.outputs.parameters.execution-id}}' - - name: condition - value: "" - depends: root-driver.Succeeded - name: root - template: root - inputs: {} - metadata: {} - name: entrypoint - outputs: {} -status: - finishedAt: null - startedAt: null diff --git a/test_data/compiled-workflows/arguments_parameters.yaml b/test_data/compiled-workflows/arguments_parameters.yaml index b2a7f8cef12..6db4c0d4011 100644 --- a/test_data/compiled-workflows/arguments_parameters.yaml +++ b/test_data/compiled-workflows/arguments_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/artifact_cache.yaml b/test_data/compiled-workflows/artifact_cache.yaml index 25957d23828..1dd859cff31 100644 --- a/test_data/compiled-workflows/artifact_cache.yaml +++ b/test_data/compiled-workflows/artifact_cache.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: artifact-cache-pipeline- spec: arguments: @@ -44,77 +43,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - artifact-cache-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -132,16 +70,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: artifact-cache-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -178,6 +148,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -207,6 +184,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -217,6 +202,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -264,62 +252,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - artifact-cache-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -349,6 +282,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: artifact-cache-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/artifact_crust.yaml b/test_data/compiled-workflows/artifact_crust.yaml index 2f29f578ed5..f1a5fcc7324 100644 --- a/test_data/compiled-workflows/artifact_crust.yaml +++ b/test_data/compiled-workflows/artifact_crust.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: artifact-pipeline- spec: arguments: @@ -44,77 +43,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -132,16 +70,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: artifact-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -178,6 +148,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -207,6 +184,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -217,6 +202,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -264,62 +252,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -349,6 +282,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: artifact-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/artifacts_complex.yaml b/test_data/compiled-workflows/artifacts_complex.yaml index e15983b569c..b09e7ae7229 100644 --- a/test_data/compiled-workflows/artifacts_complex.yaml +++ b/test_data/compiled-workflows/artifacts_complex.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -70,77 +69,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -158,16 +96,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -204,6 +174,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -233,6 +210,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -243,6 +228,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -371,62 +359,7 @@ spec: metadata: {} name: comp-condition-5 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -456,6 +389,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -500,6 +464,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"pipelinechannel--threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -529,6 +495,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"pipelinechannel--threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -599,6 +567,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -628,6 +598,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/artifacts_simple.yaml b/test_data/compiled-workflows/artifacts_simple.yaml index 14812f852c9..bf86dae3fa1 100644 --- a/test_data/compiled-workflows/artifacts_simple.yaml +++ b/test_data/compiled-workflows/artifacts_simple.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -55,77 +54,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -143,16 +81,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -189,6 +159,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -218,6 +195,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -228,6 +213,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -275,62 +263,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -360,6 +293,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -373,6 +337,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -402,6 +368,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/collected_artifacts.yaml b/test_data/compiled-workflows/collected_artifacts.yaml index 451f34e2d6f..cd3c934770a 100644 --- a/test_data/compiled-workflows/collected_artifacts.yaml +++ b/test_data/compiled-workflows/collected_artifacts.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: collected-artifact-pipeline- spec: arguments: @@ -136,77 +135,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - collected-artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -224,16 +162,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: collected-artifact-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -270,6 +240,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -299,6 +276,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -309,6 +294,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -356,62 +344,7 @@ spec: metadata: {} name: comp-single-node-dag outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - collected-artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -441,6 +374,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: collected-artifact-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -507,6 +471,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--split-chars-Output":{"componentInputParameter":"pipelinechannel--split-chars-Output"},"pipelinechannel--split-ids-Output-loop-item":{"componentInputParameter":"pipelinechannel--split-ids-Output-loop-item"}}},"parameterIterator":{"itemInput":"pipelinechannel--split-chars-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-chars-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -535,6 +501,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--split-chars-Output":{"componentInputParameter":"pipelinechannel--split-chars-Output"},"pipelinechannel--split-ids-Output-loop-item":{"componentInputParameter":"pipelinechannel--split-ids-Output-loop-item"}}},"parameterIterator":{"itemInput":"pipelinechannel--split-chars-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-chars-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -679,6 +647,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-chars","split-ids"],"inputs":{"parameters":{"pipelinechannel--split-chars-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-chars"}},"pipelinechannel--split-ids-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-ids"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-ids-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-ids-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -707,6 +677,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-chars","split-ids"],"inputs":{"parameters":{"pipelinechannel--split-chars-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-chars"}},"pipelinechannel--split-ids-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-ids"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-ids-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-ids-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/collected_parameters.yaml b/test_data/compiled-workflows/collected_parameters.yaml index 73bc3c25aa6..4085d458374 100644 --- a/test_data/compiled-workflows/collected_parameters.yaml +++ b/test_data/compiled-workflows/collected_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: collected-param-pipeline- spec: arguments: @@ -71,77 +70,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - collected-param-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -159,16 +97,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: collected-param-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -205,6 +175,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -234,6 +211,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -244,6 +229,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -316,62 +304,7 @@ spec: metadata: {} name: comp-for-loop-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - collected-param-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -401,6 +334,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: collected-param-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -413,6 +377,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-ids"],"inputs":{"parameters":{"pipelinechannel--split-ids-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-ids"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-ids-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-ids-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -441,6 +407,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-ids"],"inputs":{"parameters":{"pipelinechannel--split-ids-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-ids"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-ids-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-ids-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/component_with_metadata_fields.yaml b/test_data/compiled-workflows/component_with_metadata_fields.yaml index e968493445c..02739f1945d 100644 --- a/test_data/compiled-workflows/component_with_metadata_fields.yaml +++ b/test_data/compiled-workflows/component_with_metadata_fields.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: dataset-joiner- spec: arguments: @@ -40,77 +39,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - dataset-joiner - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -128,16 +66,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dataset-joiner + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -174,6 +144,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -203,6 +180,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -213,6 +198,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -260,62 +248,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - dataset-joiner - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -345,6 +278,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dataset-joiner + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/component_with_optional_inputs.yaml b/test_data/compiled-workflows/component_with_optional_inputs.yaml index 49cb8425645..f66bf9ca47e 100644 --- a/test_data/compiled-workflows/component_with_optional_inputs.yaml +++ b/test_data/compiled-workflows/component_with_optional_inputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: v2-component-optional-input- spec: arguments: @@ -29,77 +28,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - v2-component-optional-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -117,16 +55,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-component-optional-input + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -163,6 +133,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +169,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -202,6 +187,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -249,62 +237,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - v2-component-optional-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -334,6 +267,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-component-optional-input + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/component_with_pip_index_urls.yaml b/test_data/compiled-workflows/component_with_pip_index_urls.yaml index c9e93836d19..2cc5d6c3654 100644 --- a/test_data/compiled-workflows/component_with_pip_index_urls.yaml +++ b/test_data/compiled-workflows/component_with_pip_index_urls.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: v2-component-pip-index-urls- spec: arguments: @@ -27,77 +26,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - v2-component-pip-index-urls - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -115,16 +53,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-component-pip-index-urls + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -161,6 +131,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -190,6 +167,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -200,6 +185,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -247,62 +235,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - v2-component-pip-index-urls - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -332,6 +265,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-component-pip-index-urls + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/component_with_pip_install.yaml b/test_data/compiled-workflows/component_with_pip_install.yaml index 39f22d9cce1..b3498d61877 100644 --- a/test_data/compiled-workflows/component_with_pip_install.yaml +++ b/test_data/compiled-workflows/component_with_pip_install.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: component-with-pip-install- spec: arguments: @@ -27,77 +26,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - component-with-pip-install - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -115,16 +53,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: component-with-pip-install + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -161,6 +131,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -190,6 +167,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -200,6 +185,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -247,62 +235,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - component-with-pip-install - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -332,6 +265,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: component-with-pip-install + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/component_with_pip_install_in_venv.yaml b/test_data/compiled-workflows/component_with_pip_install_in_venv.yaml index 7e23a511594..68c58e4c254 100644 --- a/test_data/compiled-workflows/component_with_pip_install_in_venv.yaml +++ b/test_data/compiled-workflows/component_with_pip_install_in_venv.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: component-with-pip-install- spec: arguments: @@ -28,77 +27,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - component-with-pip-install - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -116,16 +54,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: component-with-pip-install + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -162,6 +132,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -191,6 +168,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -201,6 +186,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -248,62 +236,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - component-with-pip-install - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -333,6 +266,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: component-with-pip-install + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/components_with_optional_artifacts.yaml b/test_data/compiled-workflows/components_with_optional_artifacts.yaml index af51d27f5c2..6fc0c457cfd 100644 --- a/test_data/compiled-workflows/components_with_optional_artifacts.yaml +++ b/test_data/compiled-workflows/components_with_optional_artifacts.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: optional-artifact-pipeline- spec: arguments: @@ -41,77 +40,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - optional-artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -129,16 +67,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: optional-artifact-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -175,6 +145,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +181,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -214,6 +199,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -341,6 +329,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -350,62 +346,11 @@ spec: metadata: {} name: system-importer outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - optional-artifact-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - inputs: parameters: - name: component - default: "" @@ -435,6 +380,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: optional-artifact-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/concat_message.yaml b/test_data/compiled-workflows/concat_message.yaml index 442393ad338..b7ac9d67574 100644 --- a/test_data/compiled-workflows/concat_message.yaml +++ b/test_data/compiled-workflows/concat_message.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: concat-message- spec: arguments: @@ -26,77 +25,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - concat-message - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -114,16 +52,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: concat-message + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -160,6 +130,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +166,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -199,6 +184,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -246,62 +234,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - concat-message - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -331,6 +264,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: concat-message + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/conditional_producer_and_consumers.yaml b/test_data/compiled-workflows/conditional_producer_and_consumers.yaml index aea031644a3..3adb435872b 100644 --- a/test_data/compiled-workflows/conditional_producer_and_consumers.yaml +++ b/test_data/compiled-workflows/conditional_producer_and_consumers.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -47,77 +46,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -135,16 +73,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -181,6 +151,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -210,6 +187,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -220,6 +205,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -299,62 +287,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -384,6 +317,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -428,6 +392,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -457,6 +423,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--threshold":{"componentInputParameter":"threshold"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/container_component_with_no_inputs.yaml b/test_data/compiled-workflows/container_component_with_no_inputs.yaml index f3097105158..35bc6e1c73d 100644 --- a/test_data/compiled-workflows/container_component_with_no_inputs.yaml +++ b/test_data/compiled-workflows/container_component_with_no_inputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: v2-container-component-no-input- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - v2-container-component-no-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-container-component-no-input + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - v2-container-component-no-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: v2-container-component-no-input + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_io.yaml b/test_data/compiled-workflows/container_io.yaml index dfde886d3ac..b3715ba6c27 100644 --- a/test_data/compiled-workflows/container_io.yaml +++ b/test_data/compiled-workflows/container_io.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-io- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-io - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-io + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-io - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-io + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_no_input.yaml b/test_data/compiled-workflows/container_no_input.yaml index 80f7149d9dd..1d3fb621416 100644 --- a/test_data/compiled-workflows/container_no_input.yaml +++ b/test_data/compiled-workflows/container_no_input.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-no-input- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-no-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-no-input + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-no-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-no-input + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_with_artifact_output.yaml b/test_data/compiled-workflows/container_with_artifact_output.yaml index 41c5a8379ae..10b22c71a4d 100644 --- a/test_data/compiled-workflows/container_with_artifact_output.yaml +++ b/test_data/compiled-workflows/container_with_artifact_output.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-with-artifact-output- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-with-artifact-output - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-artifact-output + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-with-artifact-output - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-artifact-output + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_with_concat_placeholder.yaml b/test_data/compiled-workflows/container_with_concat_placeholder.yaml index d32ab8a54e1..d7f33ce00c6 100644 --- a/test_data/compiled-workflows/container_with_concat_placeholder.yaml +++ b/test_data/compiled-workflows/container_with_concat_placeholder.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-with-concat-placeholder- spec: arguments: @@ -17,77 +16,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-with-concat-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -105,16 +43,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-concat-placeholder + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -151,6 +121,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -180,6 +157,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -190,6 +175,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -237,62 +225,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-with-concat-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -322,6 +255,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-concat-placeholder + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_with_if_placeholder.yaml b/test_data/compiled-workflows/container_with_if_placeholder.yaml index e902c6663f6..beb895d6d15 100644 --- a/test_data/compiled-workflows/container_with_if_placeholder.yaml +++ b/test_data/compiled-workflows/container_with_if_placeholder.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-with-if-placeholder- spec: arguments: @@ -19,77 +18,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-with-if-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -107,16 +45,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-if-placeholder + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -153,6 +123,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -182,6 +159,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +177,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -239,62 +227,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-with-if-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -324,6 +257,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-if-placeholder + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/container_with_placeholder_in_fstring.yaml b/test_data/compiled-workflows/container_with_placeholder_in_fstring.yaml index 80b7b8cd82c..9b399dc62b0 100644 --- a/test_data/compiled-workflows/container_with_placeholder_in_fstring.yaml +++ b/test_data/compiled-workflows/container_with_placeholder_in_fstring.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: container-with-placeholder-in-fstring- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - container-with-placeholder-in-fstring - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-placeholder-in-fstring + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - container-with-placeholder-in-fstring - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: container-with-placeholder-in-fstring + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/containerized_python_component.yaml b/test_data/compiled-workflows/containerized_python_component.yaml index 873cbec6fd7..60748357d9c 100644 --- a/test_data/compiled-workflows/containerized_python_component.yaml +++ b/test_data/compiled-workflows/containerized_python_component.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: concat-message- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - concat-message - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: concat-message + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - concat-message - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: concat-message + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/create_pod_metadata_complex.yaml b/test_data/compiled-workflows/create_pod_metadata_complex.yaml index 6880b31dc24..d0b9e3c58cb 100644 --- a/test_data/compiled-workflows/create_pod_metadata_complex.yaml +++ b/test_data/compiled-workflows/create_pod_metadata_complex.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-pod-metadata- spec: arguments: @@ -69,77 +68,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-pod-metadata - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -157,16 +95,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pod-metadata + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -203,6 +173,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -232,6 +209,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -242,6 +227,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -311,6 +299,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -340,6 +335,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -361,6 +364,9 @@ spec: name: metadata-1-2-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -424,6 +430,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -453,6 +466,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -470,6 +491,9 @@ spec: name: metadata-2-0-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -589,62 +613,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-pod-metadata - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -674,6 +643,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pod-metadata + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/cross_loop_after_topology.yaml b/test_data/compiled-workflows/cross_loop_after_topology.yaml index ca031bb6cf4..5990cc4ba25 100644 --- a/test_data/compiled-workflows/cross_loop_after_topology.yaml +++ b/test_data/compiled-workflows/cross_loop_after_topology.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: my-pipeline- spec: arguments: @@ -46,77 +45,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - my-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -134,16 +72,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -180,6 +150,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +186,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +204,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -298,62 +286,7 @@ spec: metadata: {} name: comp-for-loop-14 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - my-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -383,6 +316,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -396,6 +360,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-14"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-13","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-14"}}' + - name: task-name + value: for-loop-14 name: iteration-item-driver template: system-dag-driver - arguments: @@ -425,6 +391,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-14"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-13","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-14"}}' + - name: task-name + value: for-loop-14 name: iteration-driver template: system-dag-driver - arguments: @@ -592,6 +560,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"dependentTasks":["print-op-3"],"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-7","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-item-driver template: system-dag-driver - arguments: @@ -621,6 +591,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"dependentTasks":["print-op-3"],"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-7","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-driver template: system-dag-driver - arguments: @@ -692,6 +664,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-9","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-item-driver template: system-dag-driver - arguments: @@ -721,6 +695,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-9","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-driver template: system-dag-driver - arguments: @@ -753,6 +729,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-11","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-item-driver template: system-dag-driver - arguments: @@ -782,6 +760,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-11","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-driver template: system-dag-driver - arguments: @@ -814,6 +794,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -843,6 +825,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -875,6 +859,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"dependentTasks":["for-loop-2"],"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -904,6 +890,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"dependentTasks":["for-loop-2"],"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -936,6 +924,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-item-driver template: system-dag-driver - arguments: @@ -965,6 +955,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/dict_input.yaml b/test_data/compiled-workflows/dict_input.yaml index 252192d0502..4925237e98b 100644 --- a/test_data/compiled-workflows/dict_input.yaml +++ b/test_data/compiled-workflows/dict_input.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: dict-input- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - dict-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dict-input + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - dict-input - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dict-input + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/embedded_artifact.yaml b/test_data/compiled-workflows/embedded_artifact.yaml index a8417bfab8f..e97e753891d 100644 --- a/test_data/compiled-workflows/embedded_artifact.yaml +++ b/test_data/compiled-workflows/embedded_artifact.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nb-simple- spec: arguments: @@ -66,77 +65,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nb-simple - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -154,16 +92,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-simple + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -200,6 +170,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -229,6 +206,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -239,6 +224,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -310,62 +298,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nb-simple - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -395,6 +328,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-simple + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/env-var.yaml b/test_data/compiled-workflows/env-var.yaml index e74b07771ee..dd8dc8c3599 100644 --- a/test_data/compiled-workflows/env-var.yaml +++ b/test_data/compiled-workflows/env-var.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: test-env-exists- spec: arguments: @@ -27,77 +26,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - test-env-exists - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -115,16 +53,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-env-exists + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -161,6 +131,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -190,6 +167,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -200,6 +185,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -247,62 +235,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - test-env-exists - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -332,6 +265,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-env-exists + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/fail_v2.yaml b/test_data/compiled-workflows/fail_v2.yaml index 668b99db141..9f14ccfd109 100644 --- a/test_data/compiled-workflows/fail_v2.yaml +++ b/test_data/compiled-workflows/fail_v2.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: fail-pipeline- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - fail-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: fail-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - fail-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: fail-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/flip_coin.yaml b/test_data/compiled-workflows/flip_coin.yaml index ebc4c9edea7..8cdce9ac6c4 100644 --- a/test_data/compiled-workflows/flip_coin.yaml +++ b/test_data/compiled-workflows/flip_coin.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: conditional-execution-pipeline- spec: arguments: @@ -82,77 +81,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - conditional-execution-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -170,16 +108,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: conditional-execution-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -216,6 +186,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -245,6 +222,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -255,6 +240,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -338,62 +326,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - conditional-execution-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -423,6 +356,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: conditional-execution-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/hello-world.yaml b/test_data/compiled-workflows/hello-world.yaml deleted file mode 100644 index c86947cdf41..00000000000 --- a/test_data/compiled-workflows/hello-world.yaml +++ /dev/null @@ -1,334 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Workflow -metadata: - creationTimestamp: null - generateName: echo- -spec: - arguments: - parameters: - - name: components-cf9c81ac9e6ab0dcdd92cb89ed717317e681cb0645cb5ddfc4824b1de14346b3 - value: '{"executorLabel":"exec-echo"}' - - name: implementations-cf9c81ac9e6ab0dcdd92cb89ed717317e681cb0645cb5ddfc4824b1de14346b3 - value: '{"args":["hello world"],"command":["echo"],"image":"public.ecr.aws/docker/library/python:3.12"}' - - name: components-root - value: '{"dag":{"tasks":{"echo":{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"taskInfo":{"name":"echo"}}}}}' - entrypoint: entrypoint - podMetadata: - annotations: - pipelines.kubeflow.org/v2_component: "true" - labels: - pipelines.kubeflow.org/v2_component: "true" - serviceAccountName: pipeline-runner - templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - name: task - - name: container - - name: task-name - - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: "" - name: kubernetes-config - metadata: {} - name: system-container-driver - outputs: - parameters: - - name: pod-spec-patch - valueFrom: - default: "" - path: /tmp/outputs/pod-spec-patch - - default: "false" - name: cached-decision - valueFrom: - default: "false" - path: /tmp/outputs/cached-decision - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: pod-spec-patch - value: '{{inputs.parameters.pod-spec-patch}}' - name: executor - template: system-container-impl - when: '{{inputs.parameters.cached-decision}} != true' - inputs: - parameters: - - name: pod-spec-patch - - default: "false" - name: cached-decision - metadata: {} - name: system-container-executor - outputs: {} - - container: - command: - - should-be-overridden-during-runtime - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - envFrom: - - configMapRef: - name: metadata-grpc-configmap - optional: true - image: gcr.io/ml-pipeline/should-be-overridden-during-runtime - name: "" - resources: {} - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - - mountPath: /gcs - name: gcs-scratch - - mountPath: /s3 - name: s3-scratch - - mountPath: /minio - name: minio-scratch - - mountPath: /.local - name: dot-local-scratch - - mountPath: /.cache - name: dot-cache-scratch - - mountPath: /.config - name: dot-config-scratch - initContainers: - - args: - - --copy - - /kfp-launcher/launch - command: - - launcher-v2 - image: ghcr.io/kubeflow/kfp-launcher:latest - name: kfp-launcher - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - volumeMounts: - - mountPath: /kfp-launcher - name: kfp-launcher - inputs: - parameters: - - name: pod-spec-patch - metadata: {} - name: system-container-impl - outputs: {} - podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' - volumes: - - emptyDir: {} - name: kfp-launcher - - emptyDir: {} - name: gcs-scratch - - emptyDir: {} - name: s3-scratch - - emptyDir: {} - name: minio-scratch - - emptyDir: {} - name: dot-local-scratch - - emptyDir: {} - name: dot-cache-scratch - - emptyDir: {} - name: dot-config-scratch - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-cf9c81ac9e6ab0dcdd92cb89ed717317e681cb0645cb5ddfc4824b1de14346b3}}' - - name: task - value: '{"cachingOptions":{"enableCache":true},"componentRef":{"name":"comp-echo"},"taskInfo":{"name":"echo"}}' - - name: container - value: '{{workflow.parameters.implementations-cf9c81ac9e6ab0dcdd92cb89ed717317e681cb0645cb5ddfc4824b1de14346b3}}' - - name: task-name - value: echo - - name: parent-dag-id - value: '{{inputs.parameters.parent-dag-id}}' - name: echo-driver - template: system-container-driver - - arguments: - parameters: - - name: pod-spec-patch - value: '{{tasks.echo-driver.outputs.parameters.pod-spec-patch}}' - - default: "false" - name: cached-decision - value: '{{tasks.echo-driver.outputs.parameters.cached-decision}}' - depends: echo-driver.Succeeded - name: echo - template: system-container-executor - inputs: - parameters: - - name: parent-dag-id - metadata: {} - name: root - outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: - parameters: - - name: component - - default: "" - name: runtime-config - - default: "" - name: task - - default: "" - name: task-name - - default: "0" - name: parent-dag-id - - default: "-1" - name: iteration-index - - default: DAG - name: driver-type - metadata: {} - name: system-dag-driver - outputs: - parameters: - - name: execution-id - valueFrom: - path: /tmp/outputs/execution-id - - name: iteration-count - valueFrom: - default: "0" - path: /tmp/outputs/iteration-count - - name: condition - valueFrom: - default: "true" - path: /tmp/outputs/condition - - dag: - tasks: - - arguments: - parameters: - - name: component - value: '{{workflow.parameters.components-root}}' - - name: runtime-config - value: '{}' - - name: driver-type - value: ROOT_DAG - name: root-driver - template: system-dag-driver - - arguments: - parameters: - - name: parent-dag-id - value: '{{tasks.root-driver.outputs.parameters.execution-id}}' - - name: condition - value: "" - depends: root-driver.Succeeded - name: root - template: root - inputs: {} - metadata: {} - name: entrypoint - outputs: {} -status: - finishedAt: null - startedAt: null diff --git a/test_data/compiled-workflows/hello_world.yaml b/test_data/compiled-workflows/hello_world.yaml index e765d6b8fba..3502e68221a 100644 --- a/test_data/compiled-workflows/hello_world.yaml +++ b/test_data/compiled-workflows/hello_world.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/identity.yaml b/test_data/compiled-workflows/identity.yaml index e8c911a4208..f33105f3a7e 100644 --- a/test_data/compiled-workflows/identity.yaml +++ b/test_data/compiled-workflows/identity.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: identity- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - identity - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: identity + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - identity - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: identity + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/if_elif_else_complex.yaml b/test_data/compiled-workflows/if_elif_else_complex.yaml index 9c73eabcb4d..2a4ba11edf8 100644 --- a/test_data/compiled-workflows/if_elif_else_complex.yaml +++ b/test_data/compiled-workflows/if_elif_else_complex.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: lucky-number-pipeline- spec: arguments: @@ -116,77 +115,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - lucky-number-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -204,16 +142,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: lucky-number-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -250,6 +220,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -279,6 +256,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -289,6 +274,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -337,62 +325,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - lucky-number-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -422,6 +355,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: lucky-number-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -499,6 +463,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-16"},"inputs":{"parameters":{"pipelinechannel--int-0-to-9999-Output":{"componentInputParameter":"pipelinechannel--int-0-to-9999-Output"},"pipelinechannel--repeat_if_lucky_number":{"componentInputParameter":"pipelinechannel--repeat_if_lucky_number"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-15","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-16"}}' + - name: task-name + value: for-loop-16 name: iteration-item-driver template: system-dag-driver - arguments: @@ -528,6 +494,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-16"},"inputs":{"parameters":{"pipelinechannel--int-0-to-9999-Output":{"componentInputParameter":"pipelinechannel--int-0-to-9999-Output"},"pipelinechannel--repeat_if_lucky_number":{"componentInputParameter":"pipelinechannel--repeat_if_lucky_number"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-15","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-16"}}' + - name: task-name + value: for-loop-16 name: iteration-driver template: system-dag-driver - arguments: @@ -1183,6 +1151,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--add_drumroll":{"componentInputParameter":"add_drumroll"},"pipelinechannel--repeat_if_lucky_number":{"componentInputParameter":"repeat_if_lucky_number"},"pipelinechannel--trials":{"componentInputParameter":"trials"}}},"parameterIterator":{"itemInput":"pipelinechannel--trials-loop-item","items":{"inputParameter":"pipelinechannel--trials"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1211,6 +1181,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--add_drumroll":{"componentInputParameter":"add_drumroll"},"pipelinechannel--repeat_if_lucky_number":{"componentInputParameter":"repeat_if_lucky_number"},"pipelinechannel--trials":{"componentInputParameter":"trials"}}},"parameterIterator":{"itemInput":"pipelinechannel--trials-loop-item","items":{"inputParameter":"pipelinechannel--trials"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/if_elif_else_with_oneof_parameters.yaml b/test_data/compiled-workflows/if_elif_else_with_oneof_parameters.yaml index 43c5c7ab509..1c7a5d758c3 100644 --- a/test_data/compiled-workflows/if_elif_else_with_oneof_parameters.yaml +++ b/test_data/compiled-workflows/if_elif_else_with_oneof_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: outer-pipeline- spec: arguments: @@ -71,77 +70,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - outer-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -159,16 +97,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: outer-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -205,6 +175,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -234,6 +211,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -244,6 +229,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -357,62 +345,7 @@ spec: metadata: {} name: comp-condition-4 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - outer-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -442,6 +375,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: outer-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/if_else_with_oneof_artifacts.yaml b/test_data/compiled-workflows/if_else_with_oneof_artifacts.yaml index 385e39b07b6..01f1f75fc77 100644 --- a/test_data/compiled-workflows/if_else_with_oneof_artifacts.yaml +++ b/test_data/compiled-workflows/if_else_with_oneof_artifacts.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: outer-pipeline- spec: arguments: @@ -63,77 +62,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - outer-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -151,16 +89,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: outer-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -197,6 +167,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -226,6 +203,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -236,6 +221,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -315,62 +303,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - outer-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -400,6 +333,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: outer-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/if_else_with_oneof_parameters.yaml b/test_data/compiled-workflows/if_else_with_oneof_parameters.yaml index f6f8db86b49..e43df4ecf76 100644 --- a/test_data/compiled-workflows/if_else_with_oneof_parameters.yaml +++ b/test_data/compiled-workflows/if_else_with_oneof_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: flip-coin-pipeline- spec: arguments: @@ -49,77 +48,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - flip-coin-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -137,16 +75,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: flip-coin-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -183,6 +153,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -212,6 +189,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -222,6 +207,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -303,62 +291,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - flip-coin-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -388,6 +321,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: flip-coin-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/input_artifact.yaml b/test_data/compiled-workflows/input_artifact.yaml index b5b04b2cb65..4c9b87d38cb 100644 --- a/test_data/compiled-workflows/input_artifact.yaml +++ b/test_data/compiled-workflows/input_artifact.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: input-artifact- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - input-artifact - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: input-artifact + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - input-artifact - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: input-artifact + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/iris_pipeline_compiled.yaml b/test_data/compiled-workflows/iris_pipeline_compiled.yaml index 4092416d52b..992c83c1bb5 100644 --- a/test_data/compiled-workflows/iris_pipeline_compiled.yaml +++ b/test_data/compiled-workflows/iris_pipeline_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: iris-training-pipeline- spec: arguments: @@ -78,77 +77,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - iris-training-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -166,16 +104,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: iris-training-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -212,6 +182,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -241,6 +218,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -251,6 +236,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -348,62 +336,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - iris-training-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -433,6 +366,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: iris-training-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/lightweight_python_functions_pipeline.yaml b/test_data/compiled-workflows/lightweight_python_functions_pipeline.yaml index cd9e9906024..3b4fe7a3b8f 100644 --- a/test_data/compiled-workflows/lightweight_python_functions_pipeline.yaml +++ b/test_data/compiled-workflows/lightweight_python_functions_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: my-test-pipeline-beta- spec: arguments: @@ -80,77 +79,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - my-test-pipeline-beta - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -168,16 +106,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-test-pipeline-beta + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -214,6 +184,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -243,6 +220,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -253,6 +238,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -325,62 +313,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - my-test-pipeline-beta - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -410,6 +343,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-test-pipeline-beta + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/lightweight_python_functions_with_outputs.yaml b/test_data/compiled-workflows/lightweight_python_functions_with_outputs.yaml index 9af03fe2546..076a862d832 100644 --- a/test_data/compiled-workflows/lightweight_python_functions_with_outputs.yaml +++ b/test_data/compiled-workflows/lightweight_python_functions_with_outputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: functions-with-outputs- spec: arguments: @@ -72,77 +71,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - functions-with-outputs - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -160,16 +98,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: functions-with-outputs + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -206,6 +176,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -235,6 +212,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -245,6 +230,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -366,62 +354,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - functions-with-outputs - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -451,6 +384,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: functions-with-outputs + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/log_streaming_compiled.yaml b/test_data/compiled-workflows/log_streaming_compiled.yaml index 51b6f899e7a..849494bafa7 100644 --- a/test_data/compiled-workflows/log_streaming_compiled.yaml +++ b/test_data/compiled-workflows/log_streaming_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: log-streaming-pipeline- spec: arguments: @@ -29,77 +28,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - log-streaming-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -117,16 +55,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: log-streaming-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -163,6 +133,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +169,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -202,6 +187,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -249,62 +237,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - log-streaming-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -334,6 +267,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: log-streaming-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/long-running.yaml b/test_data/compiled-workflows/long-running.yaml index ad508914429..e9438c111fa 100644 --- a/test_data/compiled-workflows/long-running.yaml +++ b/test_data/compiled-workflows/long-running.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: wait-awhile- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - wait-awhile - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: wait-awhile + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -261,62 +249,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - wait-awhile - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -346,6 +279,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: wait-awhile + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/loop_consume_upstream.yaml b/test_data/compiled-workflows/loop_consume_upstream.yaml index 68a6ea7b0fc..dd7d3570d9f 100644 --- a/test_data/compiled-workflows/loop_consume_upstream.yaml +++ b/test_data/compiled-workflows/loop_consume_upstream.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: loop-consume-upstream- spec: arguments: @@ -73,77 +72,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - loop-consume-upstream - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -161,16 +99,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: loop-consume-upstream + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -207,6 +177,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -236,6 +213,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -246,6 +231,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -320,62 +308,7 @@ spec: metadata: {} name: comp-for-loop-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - loop-consume-upstream - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -405,6 +338,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: loop-consume-upstream + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -417,6 +381,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-input"],"inputs":{"parameters":{"pipelinechannel--split-input-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-input"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-input-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-input-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -445,6 +411,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"dependentTasks":["split-input"],"inputs":{"parameters":{"pipelinechannel--split-input-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"split-input"}}}},"parameterIterator":{"itemInput":"pipelinechannel--split-input-Output-loop-item","items":{"inputParameter":"pipelinechannel--split-input-Output"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/metrics_visualization_v2.yaml b/test_data/compiled-workflows/metrics_visualization_v2.yaml index 6e74ffe8eff..484927110d0 100644 --- a/test_data/compiled-workflows/metrics_visualization_v2.yaml +++ b/test_data/compiled-workflows/metrics_visualization_v2.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: metrics-visualization-pipeline- spec: arguments: @@ -117,77 +116,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - metrics-visualization-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -205,16 +143,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: metrics-visualization-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -251,6 +221,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -280,6 +257,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -290,6 +275,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -433,62 +421,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - metrics-visualization-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -518,6 +451,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: metrics-visualization-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/missing_kubernetes_optional_inputs.yaml b/test_data/compiled-workflows/missing_kubernetes_optional_inputs.yaml index da9bc020eb0..27ed2b19e2a 100644 --- a/test_data/compiled-workflows/missing_kubernetes_optional_inputs.yaml +++ b/test_data/compiled-workflows/missing_kubernetes_optional_inputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: missing-kubernetes-optional-inputs-pipeline- spec: arguments: @@ -28,77 +27,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - missing-kubernetes-optional-inputs-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -116,16 +54,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: missing-kubernetes-optional-inputs-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -162,6 +132,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -191,6 +168,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -201,6 +186,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -251,62 +239,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - missing-kubernetes-optional-inputs-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -336,6 +269,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: missing-kubernetes-optional-inputs-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/mixed_parameters.yaml b/test_data/compiled-workflows/mixed_parameters.yaml index 95f38757554..58cfc0466c9 100644 --- a/test_data/compiled-workflows/mixed_parameters.yaml +++ b/test_data/compiled-workflows/mixed_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: mixed-parameters-pipeline- spec: arguments: @@ -42,77 +41,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - mixed-parameters-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -130,16 +68,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: mixed-parameters-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -176,6 +146,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -205,6 +182,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -215,6 +200,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -262,62 +250,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - mixed-parameters-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -347,6 +280,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: mixed-parameters-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/modelcar.yaml b/test_data/compiled-workflows/modelcar.yaml index 9612302b372..fbc0016095a 100644 --- a/test_data/compiled-workflows/modelcar.yaml +++ b/test_data/compiled-workflows/modelcar.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-modelcar-model- spec: arguments: @@ -50,77 +49,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-modelcar-model - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -138,16 +76,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-modelcar-model + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -184,6 +154,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -213,6 +190,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -223,6 +208,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -286,6 +274,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -295,6 +291,10 @@ spec: metadata: {} name: system-importer outputs: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -364,62 +364,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-modelcar-model - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -449,6 +394,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-modelcar-model + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/mounted_cabundle_configmap.yaml b/test_data/compiled-workflows/mounted_cabundle_configmap.yaml index b1ad7a2bec9..c6a234ba866 100644 --- a/test_data/compiled-workflows/mounted_cabundle_configmap.yaml +++ b/test_data/compiled-workflows/mounted_cabundle_configmap.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,82 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --ca_cert_path - - /kfp/certs/ca.crt - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - mountPath: /kfp/certs - name: custom-ca - inputs: + - inputs: parameters: - name: component - name: task @@ -109,23 +42,49 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition - volumes: - - configMap: - items: - - key: test-configmap-key - path: ca.crt - name: test-configmap-name - name: custom-ca + jsonPath: $.condition + plugin: + driver-plugin: + args: + ca_cert_path: /kfp/certs/ca.crt + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -162,6 +121,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +159,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -203,6 +177,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -256,67 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --ca_cert_path - - /kfp/certs/ca.crt - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - mountPath: /kfp/certs - name: custom-ca - inputs: + - inputs: parameters: - name: component - default: "" @@ -346,13 +263,38 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition - volumes: - - configMap: - items: - - key: test-configmap-key - path: ca.crt - name: test-configmap-name - name: custom-ca + plugin: + driver-plugin: + args: + ca_cert_path: /kfp/certs/ca.crt + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/mounted_cabundle_secret.yaml b/test_data/compiled-workflows/mounted_cabundle_secret.yaml index eb653a98201..f53f204269f 100644 --- a/test_data/compiled-workflows/mounted_cabundle_secret.yaml +++ b/test_data/compiled-workflows/mounted_cabundle_secret.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,82 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --ca_cert_path - - /kfp/certs/ca.crt - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - mountPath: /kfp/certs - name: custom-ca - inputs: + - inputs: parameters: - name: component - name: task @@ -109,23 +42,49 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition - volumes: - - name: custom-ca - secret: - items: - - key: ca.crt - path: ca.crt - secretName: test-secret-name + jsonPath: $.condition + plugin: + driver-plugin: + args: + ca_cert_path: /kfp/certs/ca.crt + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -162,6 +121,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +159,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -203,6 +177,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -256,67 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --ca_cert_path - - /kfp/certs/ca.crt - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - volumeMounts: - - mountPath: /kfp/certs - name: custom-ca - inputs: + - inputs: parameters: - name: component - default: "" @@ -346,13 +263,38 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition - volumes: - - name: custom-ca - secret: - items: - - key: ca.crt - path: ca.crt - secretName: test-secret-name + plugin: + driver-plugin: + args: + ca_cert_path: /kfp/certs/ca.crt + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/multiple_artifacts_namedtuple.yaml b/test_data/compiled-workflows/multiple_artifacts_namedtuple.yaml index 6511708d3d7..ecc98d5a967 100644 --- a/test_data/compiled-workflows/multiple_artifacts_namedtuple.yaml +++ b/test_data/compiled-workflows/multiple_artifacts_namedtuple.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: multiple-artifacts-namedtuple-pipeline- spec: arguments: @@ -46,77 +45,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - multiple-artifacts-namedtuple-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -134,16 +72,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: multiple-artifacts-namedtuple-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -180,6 +150,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +186,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +204,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -266,62 +254,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - multiple-artifacts-namedtuple-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -351,6 +284,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: multiple-artifacts-namedtuple-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/multiple_parameters_namedtuple.yaml b/test_data/compiled-workflows/multiple_parameters_namedtuple.yaml index 0a1b515896a..c060ec3b59b 100644 --- a/test_data/compiled-workflows/multiple_parameters_namedtuple.yaml +++ b/test_data/compiled-workflows/multiple_parameters_namedtuple.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: multiple-parameters-namedtuple-pipeline- spec: arguments: @@ -45,77 +44,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - multiple-parameters-namedtuple-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -133,16 +71,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: multiple-parameters-namedtuple-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -179,6 +149,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -208,6 +185,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -218,6 +203,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -265,62 +253,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - multiple-parameters-namedtuple-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -350,6 +283,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: multiple-parameters-namedtuple-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/nested_pipeline_opt_input_child_level_compiled.yaml b/test_data/compiled-workflows/nested_pipeline_opt_input_child_level_compiled.yaml index c7c072d2fb1..8538292aa32 100644 --- a/test_data/compiled-workflows/nested_pipeline_opt_input_child_level_compiled.yaml +++ b/test_data/compiled-workflows/nested_pipeline_opt_input_child_level_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nested-pipeline-opt-input-child-level- spec: arguments: @@ -105,77 +104,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nested-pipeline-opt-input-child-level - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -193,16 +131,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-input-child-level + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -239,6 +209,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -268,6 +245,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -278,6 +263,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -445,62 +433,7 @@ spec: metadata: {} name: comp-nested-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nested-pipeline-opt-input-child-level - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -530,6 +463,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-input-child-level + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/nested_pipeline_opt_inputs_nil_compiled.yaml b/test_data/compiled-workflows/nested_pipeline_opt_inputs_nil_compiled.yaml index bc9f441922b..be030912dc5 100644 --- a/test_data/compiled-workflows/nested_pipeline_opt_inputs_nil_compiled.yaml +++ b/test_data/compiled-workflows/nested_pipeline_opt_inputs_nil_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nested-pipeline-opt-inputs-nil- spec: arguments: @@ -56,77 +55,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nested-pipeline-opt-inputs-nil - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -144,16 +82,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-inputs-nil + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -190,6 +160,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +196,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -229,6 +214,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -324,62 +312,7 @@ spec: metadata: {} name: comp-nested-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nested-pipeline-opt-inputs-nil - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -409,6 +342,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-inputs-nil + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/nested_pipeline_opt_inputs_parent_level_compiled.yaml b/test_data/compiled-workflows/nested_pipeline_opt_inputs_parent_level_compiled.yaml index 937a668ac47..29bcb0b8ee9 100644 --- a/test_data/compiled-workflows/nested_pipeline_opt_inputs_parent_level_compiled.yaml +++ b/test_data/compiled-workflows/nested_pipeline_opt_inputs_parent_level_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nested-pipeline-opt-inputs-parent-level- spec: arguments: @@ -108,77 +107,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nested-pipeline-opt-inputs-parent-level - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -196,16 +134,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-inputs-parent-level + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -242,6 +212,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -271,6 +248,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -281,6 +266,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -456,62 +444,7 @@ spec: metadata: {} name: comp-nested-pipeline-non-nil-defaults outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nested-pipeline-opt-inputs-parent-level - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -541,6 +474,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-pipeline-opt-inputs-parent-level + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/nested_return.yaml b/test_data/compiled-workflows/nested_return.yaml index 941e29190b9..22b37d12337 100644 --- a/test_data/compiled-workflows/nested_return.yaml +++ b/test_data/compiled-workflows/nested_return.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nested-return- spec: arguments: @@ -26,77 +25,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nested-return - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -114,16 +52,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-return + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -160,6 +130,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +166,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -199,6 +184,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -246,62 +234,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nested-return - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -331,6 +264,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-return + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/nested_with_parameters.yaml b/test_data/compiled-workflows/nested_with_parameters.yaml index d85eae4ca6a..fa57ffa6c0d 100644 --- a/test_data/compiled-workflows/nested_with_parameters.yaml +++ b/test_data/compiled-workflows/nested_with_parameters.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -58,77 +57,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -146,16 +84,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -192,6 +162,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -221,6 +198,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -231,6 +216,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -327,62 +315,7 @@ spec: metadata: {} name: comp-for-loop-4 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -412,6 +345,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -425,6 +389,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"inputs":{"parameters":{"pipelinechannel--loop-item-param-1":{"componentInputParameter":"pipelinechannel--loop-item-param-1"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -454,6 +420,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"inputs":{"parameters":{"pipelinechannel--loop-item-param-1":{"componentInputParameter":"pipelinechannel--loop-item-param-1"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -500,6 +468,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -529,6 +499,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/notebook_component_mixed.yaml b/test_data/compiled-workflows/notebook_component_mixed.yaml index cd3eb695357..d8759f11275 100644 --- a/test_data/compiled-workflows/notebook_component_mixed.yaml +++ b/test_data/compiled-workflows/notebook_component_mixed.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nb-mixed- spec: arguments: @@ -254,77 +253,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nb-mixed - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -342,16 +280,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-mixed + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -388,6 +358,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -417,6 +394,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -427,6 +412,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -524,62 +512,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nb-mixed - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -609,6 +542,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-mixed + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/notebook_component_simple.yaml b/test_data/compiled-workflows/notebook_component_simple.yaml index ede94fa5445..7c83cc14f22 100644 --- a/test_data/compiled-workflows/notebook_component_simple.yaml +++ b/test_data/compiled-workflows/notebook_component_simple.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nb-simple- spec: arguments: @@ -123,77 +122,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nb-simple - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -211,16 +149,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-simple + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -257,6 +227,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -286,6 +263,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -296,6 +281,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -343,62 +331,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nb-simple - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -428,6 +361,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nb-simple + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/output_metrics.yaml b/test_data/compiled-workflows/output_metrics.yaml index 5521bd3d944..60f741089ec 100644 --- a/test_data/compiled-workflows/output_metrics.yaml +++ b/test_data/compiled-workflows/output_metrics.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: output-metrics- spec: arguments: @@ -27,77 +26,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - output-metrics - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -115,16 +53,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: output-metrics + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -161,6 +131,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -190,6 +167,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -200,6 +185,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -247,62 +235,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - output-metrics - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -332,6 +265,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: output-metrics + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/parallel_for_after_dependency.yaml b/test_data/compiled-workflows/parallel_for_after_dependency.yaml index 4a1ac6e3f9e..d6274d5ecc5 100644 --- a/test_data/compiled-workflows/parallel_for_after_dependency.yaml +++ b/test_data/compiled-workflows/parallel_for_after_dependency.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: loop-with-after-dependency-set- spec: arguments: @@ -28,77 +27,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - loop-with-after-dependency-set - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -116,16 +54,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: loop-with-after-dependency-set + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -162,6 +132,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -191,6 +168,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -201,6 +186,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -248,62 +236,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - loop-with-after-dependency-set - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -333,6 +266,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: loop-with-after-dependency-set + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -346,6 +310,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -375,6 +341,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/parameter_cache.yaml b/test_data/compiled-workflows/parameter_cache.yaml index a5e9759991c..284ea157c64 100644 --- a/test_data/compiled-workflows/parameter_cache.yaml +++ b/test_data/compiled-workflows/parameter_cache.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: parameter-cache-pipeline- spec: arguments: @@ -42,77 +41,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - parameter-cache-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -130,16 +68,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: parameter-cache-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -176,6 +146,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -205,6 +182,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -215,6 +200,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -262,62 +250,7 @@ spec: metadata: {} name: comp-core outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - parameter-cache-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -347,6 +280,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: parameter-cache-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/parameter_oneof.yaml b/test_data/compiled-workflows/parameter_oneof.yaml index a37e91be033..8d124b3a3cf 100644 --- a/test_data/compiled-workflows/parameter_oneof.yaml +++ b/test_data/compiled-workflows/parameter_oneof.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: parameter-oneof-pipeline- spec: arguments: @@ -81,77 +80,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - parameter-oneof-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -169,16 +107,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: parameter-oneof-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -215,6 +185,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -244,6 +221,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -254,6 +239,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -335,62 +323,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - parameter-oneof-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -420,6 +353,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: parameter-oneof-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/parameters_complex.yaml b/test_data/compiled-workflows/parameters_complex.yaml index 1a7f1e5c14c..2efe2806b18 100644 --- a/test_data/compiled-workflows/parameters_complex.yaml +++ b/test_data/compiled-workflows/parameters_complex.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -75,77 +74,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -163,16 +101,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -209,6 +179,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -238,6 +215,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -248,6 +233,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -295,62 +283,7 @@ spec: metadata: {} name: comp-for-loop-4 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -380,6 +313,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -393,6 +357,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[4, 5, 6]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -422,6 +388,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[4, 5, 6]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -573,6 +541,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -602,6 +572,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -634,6 +606,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"dependentTasks":["for-loop-2"],"inputs":{"parameters":{"pipelinechannel--for-loop-2-pipelinechannel--double-2-Output":{"taskOutputParameter":{"outputParameterKey":"pipelinechannel--double-2-Output","producerTask":"for-loop-2"}},"pipelinechannel--for-loop-2-pipelinechannel--double-Output":{"taskOutputParameter":{"outputParameterKey":"pipelinechannel--double-Output","producerTask":"for-loop-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[0, 0, 0]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-item-driver template: system-dag-driver - arguments: @@ -663,6 +637,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"dependentTasks":["for-loop-2"],"inputs":{"parameters":{"pipelinechannel--for-loop-2-pipelinechannel--double-2-Output":{"taskOutputParameter":{"outputParameterKey":"pipelinechannel--double-2-Output","producerTask":"for-loop-2"}},"pipelinechannel--for-loop-2-pipelinechannel--double-Output":{"taskOutputParameter":{"outputParameterKey":"pipelinechannel--double-Output","producerTask":"for-loop-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[0, 0, 0]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/parameters_simple.yaml b/test_data/compiled-workflows/parameters_simple.yaml index 64f38fd79ed..8ea6c6b6779 100644 --- a/test_data/compiled-workflows/parameters_simple.yaml +++ b/test_data/compiled-workflows/parameters_simple.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -46,77 +45,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -134,16 +72,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -180,6 +150,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +186,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +204,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -266,62 +254,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -351,6 +284,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -364,6 +328,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -393,6 +359,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_as_exit_task.yaml b/test_data/compiled-workflows/pipeline_as_exit_task.yaml index bce16bc4015..45ff561e27f 100644 --- a/test_data/compiled-workflows/pipeline_as_exit_task.yaml +++ b/test_data/compiled-workflows/pipeline_as_exit_task.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-task-final-status-conditional- spec: arguments: @@ -62,77 +61,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-task-final-status-conditional - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -150,16 +88,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status-conditional + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -196,6 +166,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -225,6 +202,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -235,6 +220,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -283,62 +271,7 @@ spec: metadata: {} name: comp-condition-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-task-final-status-conditional - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -368,6 +301,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status-conditional + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_in_pipeline.yaml b/test_data/compiled-workflows/pipeline_in_pipeline.yaml index 42868bffef0..08c27bc0697 100644 --- a/test_data/compiled-workflows/pipeline_in_pipeline.yaml +++ b/test_data/compiled-workflows/pipeline_in_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-in-pipeline- spec: arguments: @@ -31,77 +30,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -119,16 +57,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -165,6 +135,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -194,6 +171,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +189,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -276,62 +264,7 @@ spec: metadata: {} name: comp-inner-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -361,6 +294,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_in_pipeline_complex.yaml b/test_data/compiled-workflows/pipeline_in_pipeline_complex.yaml index 263b5d2cc4b..28091b220fe 100644 --- a/test_data/compiled-workflows/pipeline_in_pipeline_complex.yaml +++ b/test_data/compiled-workflows/pipeline_in_pipeline_complex.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-in-pipeline-complex- spec: arguments: @@ -40,77 +39,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-in-pipeline-complex - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -128,16 +66,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline-complex + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -174,6 +144,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -203,6 +180,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -213,6 +198,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -292,62 +280,7 @@ spec: metadata: {} name: comp-condition-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-in-pipeline-complex - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -377,6 +310,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline-complex + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -499,6 +463,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"Hello\", \"world!\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -528,6 +494,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"Hello\", \"world!\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_in_pipeline_loaded_from_yaml.yaml b/test_data/compiled-workflows/pipeline_in_pipeline_loaded_from_yaml.yaml index 9c7db70e223..a62d275300a 100644 --- a/test_data/compiled-workflows/pipeline_in_pipeline_loaded_from_yaml.yaml +++ b/test_data/compiled-workflows/pipeline_in_pipeline_loaded_from_yaml.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-in-pipeline- spec: arguments: @@ -47,77 +46,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -135,16 +73,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -181,6 +151,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -210,6 +187,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -220,6 +205,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -292,62 +280,7 @@ spec: metadata: {} name: comp-inner-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -377,6 +310,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_producer_consumer.yaml b/test_data/compiled-workflows/pipeline_producer_consumer.yaml index e3f0fdca73d..5b2381f6e5d 100644 --- a/test_data/compiled-workflows/pipeline_producer_consumer.yaml +++ b/test_data/compiled-workflows/pipeline_producer_consumer.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: math-pipeline- spec: arguments: @@ -78,77 +77,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -166,16 +104,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -212,6 +182,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -241,6 +218,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -251,6 +236,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -298,62 +286,7 @@ spec: metadata: {} name: comp-for-loop-2-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - math-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -383,6 +316,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: math-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -396,6 +360,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"m\", \"a\", \"t\", \"h\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -425,6 +391,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"m\", \"a\", \"t\", \"h\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -556,6 +524,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -585,6 +555,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -631,6 +603,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -660,6 +634,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2, 3]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_after.yaml b/test_data/compiled-workflows/pipeline_with_after.yaml index 1a62e629d7b..96d67c6a1bd 100644 --- a/test_data/compiled-workflows/pipeline_with_after.yaml +++ b/test_data/compiled-workflows/pipeline_with_after.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-after- spec: arguments: @@ -19,77 +18,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-after - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -107,16 +45,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-after + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -153,6 +123,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -182,6 +159,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +177,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -292,62 +280,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-after - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -377,6 +310,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-after + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_artifact_custom_path.yaml b/test_data/compiled-workflows/pipeline_with_artifact_custom_path.yaml index 06a501085f9..da2c5c12e98 100644 --- a/test_data/compiled-workflows/pipeline_with_artifact_custom_path.yaml +++ b/test_data/compiled-workflows/pipeline_with_artifact_custom_path.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-custom-path-artifact- spec: arguments: @@ -47,77 +46,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-custom-path-artifact - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -135,16 +73,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-custom-path-artifact + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -181,6 +151,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -210,6 +187,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -220,6 +205,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -292,62 +280,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-custom-path-artifact - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -377,6 +310,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-custom-path-artifact + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_artifact_upload_download.yaml b/test_data/compiled-workflows/pipeline_with_artifact_upload_download.yaml index 1e622ecceab..eb0ba8ff082 100644 --- a/test_data/compiled-workflows/pipeline_with_artifact_upload_download.yaml +++ b/test_data/compiled-workflows/pipeline_with_artifact_upload_download.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-datasets- spec: arguments: @@ -46,77 +45,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-datasets - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -134,16 +72,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-datasets + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -180,6 +150,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +186,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +204,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -291,62 +279,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-datasets - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -376,6 +309,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-datasets + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_concat_placeholder.yaml b/test_data/compiled-workflows/pipeline_with_concat_placeholder.yaml index c4b0f0fb029..924b3a09f9f 100644 --- a/test_data/compiled-workflows/pipeline_with_concat_placeholder.yaml +++ b/test_data/compiled-workflows/pipeline_with_concat_placeholder.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: one-step-pipeline-with-concat-placeholder- spec: arguments: @@ -18,77 +17,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - one-step-pipeline-with-concat-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -106,16 +44,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: one-step-pipeline-with-concat-placeholder + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -152,6 +122,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -181,6 +158,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -191,6 +176,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -238,62 +226,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - one-step-pipeline-with-concat-placeholder - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -323,6 +256,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: one-step-pipeline-with-concat-placeholder + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_condition.yaml b/test_data/compiled-workflows/pipeline_with_condition.yaml index 471e270dd23..2913b43493b 100644 --- a/test_data/compiled-workflows/pipeline_with_condition.yaml +++ b/test_data/compiled-workflows/pipeline_with_condition.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: single-condition-pipeline- spec: arguments: @@ -44,77 +43,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - single-condition-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -132,16 +70,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: single-condition-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -178,6 +148,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -207,6 +184,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -217,6 +202,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -313,62 +301,7 @@ spec: metadata: {} name: comp-condition-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - single-condition-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -398,6 +331,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: single-condition-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_condition_dynamic_task_output_custom_training_job.yaml b/test_data/compiled-workflows/pipeline_with_condition_dynamic_task_output_custom_training_job.yaml index 716e377db10..96e732bbbe6 100644 --- a/test_data/compiled-workflows/pipeline_with_condition_dynamic_task_output_custom_training_job.yaml +++ b/test_data/compiled-workflows/pipeline_with_condition_dynamic_task_output_custom_training_job.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-dynamic-condition-output- spec: arguments: @@ -141,77 +140,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-dynamic-condition-output - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -229,16 +167,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-dynamic-condition-output + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -275,6 +245,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -304,6 +281,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -314,6 +299,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -361,62 +349,7 @@ spec: metadata: {} name: comp-condition-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-dynamic-condition-output - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -446,6 +379,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-dynamic-condition-output + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_dynamic_importer_metadata.yaml b/test_data/compiled-workflows/pipeline_with_dynamic_importer_metadata.yaml index 35783a40ef4..88e2303000b 100644 --- a/test_data/compiled-workflows/pipeline_with_dynamic_importer_metadata.yaml +++ b/test_data/compiled-workflows/pipeline_with_dynamic_importer_metadata.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-importer- spec: arguments: @@ -33,8 +32,13 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - container: @@ -85,6 +89,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -94,73 +106,11 @@ spec: metadata: {} name: system-importer outputs: {} - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-importer - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - inputs: parameters: - name: component - name: task @@ -178,16 +128,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -224,6 +206,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -253,6 +242,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -263,6 +260,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -334,62 +334,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-importer - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -419,6 +364,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_dynamic_task_output_custom_training_job.yaml b/test_data/compiled-workflows/pipeline_with_dynamic_task_output_custom_training_job.yaml index a5c0db72829..5d074fe3ebe 100644 --- a/test_data/compiled-workflows/pipeline_with_dynamic_task_output_custom_training_job.yaml +++ b/test_data/compiled-workflows/pipeline_with_dynamic_task_output_custom_training_job.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline- spec: arguments: @@ -103,77 +102,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -191,16 +129,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -237,6 +207,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -266,6 +243,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -276,6 +261,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -396,62 +384,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -481,6 +414,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_env.yaml b/test_data/compiled-workflows/pipeline_with_env.yaml index a597944863b..ad950333d53 100644 --- a/test_data/compiled-workflows/pipeline_with_env.yaml +++ b/test_data/compiled-workflows/pipeline_with_env.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-env- spec: arguments: @@ -31,77 +30,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-env - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -119,16 +57,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-env + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -165,6 +135,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -194,6 +171,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +189,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -275,62 +263,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-env - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -360,6 +293,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-env + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_exit_handler.yaml b/test_data/compiled-workflows/pipeline_with_exit_handler.yaml index e3ac40122ea..9c252ab9c2b 100644 --- a/test_data/compiled-workflows/pipeline_with_exit_handler.yaml +++ b/test_data/compiled-workflows/pipeline_with_exit_handler.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-exit-handler- spec: arguments: @@ -43,77 +42,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-exit-handler - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -131,16 +69,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-exit-handler + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -177,6 +147,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -206,6 +183,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -216,6 +201,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -321,62 +309,7 @@ spec: metadata: {} name: exit-hook-root-print-op outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-exit-handler - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -406,6 +339,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-exit-handler + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_google_artifact_type.yaml b/test_data/compiled-workflows/pipeline_with_google_artifact_type.yaml index 1720711fa76..580ad5bf1fb 100644 --- a/test_data/compiled-workflows/pipeline_with_google_artifact_type.yaml +++ b/test_data/compiled-workflows/pipeline_with_google_artifact_type.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-google-types- spec: arguments: @@ -51,8 +50,13 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - container: @@ -103,6 +107,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -112,73 +124,11 @@ spec: metadata: {} name: system-importer outputs: {} - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-google-types - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - inputs: parameters: - name: component - name: task @@ -196,16 +146,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-google-types + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -242,6 +224,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -271,6 +260,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -281,6 +278,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -365,62 +365,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-google-types - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -450,6 +395,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-google-types + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_importer.yaml b/test_data/compiled-workflows/pipeline_with_importer.yaml index 532d0c6188e..0897496bd67 100644 --- a/test_data/compiled-workflows/pipeline_with_importer.yaml +++ b/test_data/compiled-workflows/pipeline_with_importer.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-importer- spec: arguments: @@ -41,8 +40,13 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - container: @@ -93,6 +97,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -102,73 +114,11 @@ spec: metadata: {} name: system-importer outputs: {} - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-importer - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - inputs: parameters: - name: component - name: task @@ -186,16 +136,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -232,6 +214,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -261,6 +250,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -271,6 +268,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -331,62 +331,7 @@ spec: metadata: {} name: comp-condition-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-importer - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -416,6 +361,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_importer_and_gcpc_types.yaml b/test_data/compiled-workflows/pipeline_with_importer_and_gcpc_types.yaml index 248b6dd24b2..a41090eda0a 100644 --- a/test_data/compiled-workflows/pipeline_with_importer_and_gcpc_types.yaml +++ b/test_data/compiled-workflows/pipeline_with_importer_and_gcpc_types.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-importer-and-gcpc-type- spec: arguments: @@ -20,77 +19,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-importer-and-gcpc-type - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -108,16 +46,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer-and-gcpc-type + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -154,6 +124,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -183,6 +160,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +178,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -256,6 +244,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -265,6 +261,10 @@ spec: metadata: {} name: system-importer outputs: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -310,62 +310,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-importer-and-gcpc-type - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -395,6 +340,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer-and-gcpc-type + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_importer_workspace.yaml b/test_data/compiled-workflows/pipeline_with_importer_workspace.yaml index dcd9616a752..ec8092f9867 100644 --- a/test_data/compiled-workflows/pipeline_with_importer_workspace.yaml +++ b/test_data/compiled-workflows/pipeline_with_importer_workspace.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-importer-workspace- spec: arguments: @@ -108,8 +107,13 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - container: @@ -160,6 +164,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-workspace name: kfp-workspace @@ -172,77 +184,15 @@ spec: metadata: {} name: system-importer-workspace outputs: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: kfp-workspace persistentVolumeClaim: claimName: '{{workflow.name}}-kfp-workspace' - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-importer-workspace - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -260,16 +210,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer-workspace + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -306,6 +288,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -335,6 +324,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -345,6 +342,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -442,62 +442,7 @@ spec: metadata: {} name: comp-import-stage outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-importer-workspace - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -527,6 +472,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-importer-workspace + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -682,7 +658,6 @@ spec: outputs: {} volumeClaimTemplates: - metadata: - creationTimestamp: null name: kfp-workspace spec: accessModes: diff --git a/test_data/compiled-workflows/pipeline_with_input_status_state.yaml b/test_data/compiled-workflows/pipeline_with_input_status_state.yaml index 615c7109453..1eda066bc84 100644 --- a/test_data/compiled-workflows/pipeline_with_input_status_state.yaml +++ b/test_data/compiled-workflows/pipeline_with_input_status_state.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: status-state-pipeline- spec: arguments: @@ -43,77 +42,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - status-state-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -131,16 +69,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: status-state-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -177,6 +147,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -206,6 +183,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -216,6 +201,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -295,62 +283,7 @@ spec: metadata: {} name: exit-hook-root-echo-state outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - status-state-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -380,6 +313,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: status-state-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_loops.yaml b/test_data/compiled-workflows/pipeline_with_loops.yaml index 7dca578ced8..5723013d180 100644 --- a/test_data/compiled-workflows/pipeline_with_loops.yaml +++ b/test_data/compiled-workflows/pipeline_with_loops.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-loops- spec: arguments: @@ -59,77 +58,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -147,16 +85,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -193,6 +163,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -222,6 +199,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -232,6 +217,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -439,62 +427,7 @@ spec: metadata: {} name: comp-for-loop-4 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -524,6 +457,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -536,6 +500,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -564,6 +530,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: @@ -595,6 +563,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"dependentTasks":["args-generator-op"],"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"args-generator-op"}}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -623,6 +593,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"dependentTasks":["args-generator-op"],"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"args-generator-op"}}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -655,6 +627,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[{\"A_a\": \"1\", \"B_b\": \"2\"}, {\"A_a\": \"10\", \"B_b\": \"20\"}]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -684,6 +658,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[{\"A_a\": \"1\", \"B_b\": \"2\"}, {\"A_a\": \"10\", \"B_b\": \"20\"}]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_loops_and_conditions.yaml b/test_data/compiled-workflows/pipeline_with_loops_and_conditions.yaml index b3189a5994f..4d17b875066 100644 --- a/test_data/compiled-workflows/pipeline_with_loops_and_conditions.yaml +++ b/test_data/compiled-workflows/pipeline_with_loops_and_conditions.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-loops-and-conditions-multi-layers- spec: arguments: @@ -105,77 +104,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-loops-and-conditions-multi-layers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -193,16 +131,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops-and-conditions-multi-layers + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -239,6 +209,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -268,6 +245,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -278,6 +263,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -389,62 +377,7 @@ spec: metadata: {} name: comp-for-loop-7 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-loops-and-conditions-multi-layers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -474,6 +407,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops-and-conditions-multi-layers + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -487,6 +451,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-7"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output-loop-item":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-6","items":{"raw":"[{\"a\": \"-1\"}, {\"a\": \"-2\"}]"}},"taskInfo":{"name":"for-loop-7"}}' + - name: task-name + value: for-loop-7 name: iteration-item-driver template: system-dag-driver - arguments: @@ -516,6 +482,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-7"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output-loop-item":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-6","items":{"raw":"[{\"a\": \"-1\"}, {\"a\": \"-2\"}]"}},"taskInfo":{"name":"for-loop-7"}}' + - name: task-name + value: for-loop-7 name: iteration-driver template: system-dag-driver - arguments: @@ -712,6 +680,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-2-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-2-Output"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-item-driver template: system-dag-driver - arguments: @@ -740,6 +710,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-2-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-2-Output"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-driver template: system-dag-driver - arguments: @@ -810,6 +782,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"inputs":{"parameters":{"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-11","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-item-driver template: system-dag-driver - arguments: @@ -839,6 +813,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"inputs":{"parameters":{"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-11","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-driver template: system-dag-driver - arguments: @@ -870,6 +846,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output-loop-item":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item"},"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"B_b\"]"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-item-driver template: system-dag-driver - arguments: @@ -898,6 +876,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-Output-loop-item":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item"},"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b":{"componentInputParameter":"pipelinechannel--args-generator-op-Output-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"B_b\"]"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output-loop-item-subvar-B_b"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-driver template: system-dag-driver - arguments: @@ -929,6 +909,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-9"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-2-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-9"}}' + - name: task-name + value: for-loop-9 name: iteration-item-driver template: system-dag-driver - arguments: @@ -957,6 +939,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-9"},"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-2-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-9"}}' + - name: task-name + value: for-loop-9 name: iteration-driver template: system-dag-driver - arguments: @@ -1107,6 +1091,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"dependentTasks":["args-generator-op-2"],"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"args-generator-op-2"}},"pipelinechannel--args-generator-op-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"},"pipelinechannel--msg":{"componentInputParameter":"pipelinechannel--msg"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1135,6 +1121,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"dependentTasks":["args-generator-op-2"],"inputs":{"parameters":{"pipelinechannel--args-generator-op-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"args-generator-op-2"}},"pipelinechannel--args-generator-op-Output":{"componentInputParameter":"pipelinechannel--args-generator-op-Output"},"pipelinechannel--flip-coin-op-Output":{"componentInputParameter":"pipelinechannel--flip-coin-op-Output"},"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"},"pipelinechannel--msg":{"componentInputParameter":"pipelinechannel--msg"}}},"parameterIterator":{"itemInput":"pipelinechannel--args-generator-op-Output-loop-item","items":{"inputParameter":"pipelinechannel--args-generator-op-Output"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -1237,6 +1225,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-16"},"inputs":{"parameters":{"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"},"pipelinechannel--loop_parameter-loop-item-subvar-B_b":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"B_b\"]"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item-subvar-B_b-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter-loop-item-subvar-B_b"}},"taskInfo":{"name":"for-loop-16"}}' + - name: task-name + value: for-loop-16 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1265,6 +1255,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-16"},"inputs":{"parameters":{"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"},"pipelinechannel--loop_parameter-loop-item-subvar-B_b":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"B_b\"]"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item-subvar-B_b-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter-loop-item-subvar-B_b"}},"taskInfo":{"name":"for-loop-16"}}' + - name: task-name + value: for-loop-16 name: iteration-driver template: system-dag-driver - arguments: @@ -1341,6 +1333,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-14"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-14"}}' + - name: task-name + value: for-loop-14 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1369,6 +1363,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-14"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-14"}}' + - name: task-name + value: for-loop-14 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_metadata_fields.yaml b/test_data/compiled-workflows/pipeline_with_metadata_fields.yaml index b2b2fab923f..e60222630ea 100644 --- a/test_data/compiled-workflows/pipeline_with_metadata_fields.yaml +++ b/test_data/compiled-workflows/pipeline_with_metadata_fields.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: dataset-concatenator- spec: arguments: @@ -56,77 +55,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - dataset-concatenator - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -144,16 +82,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dataset-concatenator + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -190,6 +160,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +196,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -229,6 +214,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -301,62 +289,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - dataset-concatenator - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -386,6 +319,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: dataset-concatenator + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_metrics_outputs.yaml b/test_data/compiled-workflows/pipeline_with_metrics_outputs.yaml index 703fffa644c..6bea0523463 100644 --- a/test_data/compiled-workflows/pipeline_with_metrics_outputs.yaml +++ b/test_data/compiled-workflows/pipeline_with_metrics_outputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-metrics-outputs- spec: arguments: @@ -30,77 +29,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-metrics-outputs - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -118,16 +56,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-metrics-outputs + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -164,6 +134,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +170,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -203,6 +188,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -250,62 +238,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-metrics-outputs - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -335,6 +268,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-metrics-outputs + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -348,6 +312,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -377,6 +343,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[1, 2]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_multiple_exit_handlers.yaml b/test_data/compiled-workflows/pipeline_with_multiple_exit_handlers.yaml index d4cd9c697f8..b9de26b2894 100644 --- a/test_data/compiled-workflows/pipeline_with_multiple_exit_handlers.yaml +++ b/test_data/compiled-workflows/pipeline_with_multiple_exit_handlers.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-multiple-exit-handlers- spec: arguments: @@ -49,77 +48,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-multiple-exit-handlers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -137,16 +75,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-multiple-exit-handlers + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -183,6 +153,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -212,6 +189,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -222,6 +207,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -457,62 +445,7 @@ spec: metadata: {} name: exit-hook-root-print-op-5 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-multiple-exit-handlers - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -542,6 +475,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-multiple-exit-handlers + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_nested_conditions.yaml b/test_data/compiled-workflows/pipeline_with_nested_conditions.yaml index 62041957342..98383b9559d 100644 --- a/test_data/compiled-workflows/pipeline_with_nested_conditions.yaml +++ b/test_data/compiled-workflows/pipeline_with_nested_conditions.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: nested-conditions-pipeline- spec: arguments: @@ -46,77 +45,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - nested-conditions-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -134,16 +72,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-conditions-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -180,6 +150,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +186,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -219,6 +204,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -291,62 +279,7 @@ spec: metadata: {} name: comp-condition-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - nested-conditions-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -376,6 +309,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: nested-conditions-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_nested_conditions_yaml.yaml b/test_data/compiled-workflows/pipeline_with_nested_conditions_yaml.yaml index c2b021a104b..48405fa8e60 100644 --- a/test_data/compiled-workflows/pipeline_with_nested_conditions_yaml.yaml +++ b/test_data/compiled-workflows/pipeline_with_nested_conditions_yaml.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: conditional-execution-pipeline- spec: arguments: @@ -58,77 +57,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - conditional-execution-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -146,16 +84,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: conditional-execution-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -192,6 +162,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -221,6 +198,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -231,6 +216,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -314,62 +302,7 @@ spec: metadata: {} name: comp-condition-3 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - conditional-execution-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -399,6 +332,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: conditional-execution-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_nested_loops.yaml b/test_data/compiled-workflows/pipeline_with_nested_loops.yaml index a8a0666a4b7..0b6b88a027a 100644 --- a/test_data/compiled-workflows/pipeline_with_nested_loops.yaml +++ b/test_data/compiled-workflows/pipeline_with_nested_loops.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-nested-loops- spec: arguments: @@ -36,77 +35,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-nested-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -124,16 +62,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-nested-loops + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -170,6 +140,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -199,6 +176,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +194,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -256,62 +244,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-nested-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -341,6 +274,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-nested-loops + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -353,6 +317,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"},"pipelinechannel--loop_parameter-loop-item-subvar-p_a":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"p_a\"]"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item-subvar-p_a-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter-loop-item-subvar-p_a"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -381,6 +347,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--loop_parameter-loop-item":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item"},"pipelinechannel--loop_parameter-loop-item-subvar-p_a":{"componentInputParameter":"pipelinechannel--loop_parameter-loop-item","parameterExpressionSelector":"parseJson(string_value)[\"p_a\"]"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item-subvar-p_a-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter-loop-item-subvar-p_a"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -459,6 +427,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"inputs":{"parameters":{"pipelinechannel--loop-item-param-3":{"componentInputParameter":"pipelinechannel--loop-item-param-3"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[\"100\", \"200\", \"300\"]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-item-driver template: system-dag-driver - arguments: @@ -488,6 +458,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"inputs":{"parameters":{"pipelinechannel--loop-item-param-3":{"componentInputParameter":"pipelinechannel--loop-item-param-3"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[\"100\", \"200\", \"300\"]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-driver template: system-dag-driver - arguments: @@ -557,6 +529,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -585,6 +559,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: @@ -617,6 +593,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -646,6 +624,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_only_display_name.yaml b/test_data/compiled-workflows/pipeline_with_only_display_name.yaml index 8d266854ee1..7902ab40874 100644 --- a/test_data/compiled-workflows/pipeline_with_only_display_name.yaml +++ b/test_data/compiled-workflows/pipeline_with_only_display_name.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo-name- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo-name - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo-name + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -236,62 +224,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo-name - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -321,6 +254,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo-name + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_outputs.yaml b/test_data/compiled-workflows/pipeline_with_outputs.yaml index cfe3aae749e..2b31c3977e1 100644 --- a/test_data/compiled-workflows/pipeline_with_outputs.yaml +++ b/test_data/compiled-workflows/pipeline_with_outputs.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-in-pipeline- spec: arguments: @@ -32,77 +31,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -120,16 +58,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -166,6 +136,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -195,6 +172,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -205,6 +190,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -277,62 +265,7 @@ spec: metadata: {} name: comp-inner-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-in-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -362,6 +295,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-in-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_parallelfor_parallelism.yaml b/test_data/compiled-workflows/pipeline_with_parallelfor_parallelism.yaml index e49048cd00d..fe1a6a41d08 100644 --- a/test_data/compiled-workflows/pipeline_with_parallelfor_parallelism.yaml +++ b/test_data/compiled-workflows/pipeline_with_parallelfor_parallelism.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-loops- spec: arguments: @@ -123,77 +122,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -211,16 +149,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -257,6 +227,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -286,6 +263,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -296,6 +281,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -343,62 +331,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-loops - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -428,6 +361,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-loops + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -440,6 +404,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -468,6 +434,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"pipelinechannel--loop_parameter"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: @@ -722,6 +690,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"iteratorPolicy":{"parallelismLimit":1},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[{\"A_a\": \"10\", \"B_b\": \"20\"}, {\"A_a\": \"100\", \"B_b\": \"200\"}]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-item-driver template: system-dag-driver - arguments: @@ -751,6 +721,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-6"},"iteratorPolicy":{"parallelismLimit":1},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-5","items":{"raw":"[{\"A_a\": \"10\", \"B_b\": \"20\"}, {\"A_a\": \"100\", \"B_b\": \"200\"}]"}},"taskInfo":{"name":"for-loop-6"}}' + - name: task-name + value: for-loop-6 name: iteration-driver template: system-dag-driver - arguments: @@ -909,6 +881,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"iteratorPolicy":{"parallelismLimit":2},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -937,6 +911,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--loop_parameter":{"componentInputParameter":"loop_parameter"}}},"iteratorPolicy":{"parallelismLimit":2},"parameterIterator":{"itemInput":"pipelinechannel--loop_parameter-loop-item","items":{"inputParameter":"pipelinechannel--loop_parameter"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: @@ -969,6 +945,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"dependentTasks":["list-dict-maker-1"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-1-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-1"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-1-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-1-Output"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-item-driver template: system-dag-driver - arguments: @@ -997,6 +975,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-10"},"dependentTasks":["list-dict-maker-1"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-1-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-1"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-1-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-1-Output"}},"taskInfo":{"name":"for-loop-10"}}' + - name: task-name + value: for-loop-10 name: iteration-driver template: system-dag-driver - arguments: @@ -1028,6 +1008,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-11"},"dependentTasks":["list-dict-maker-2"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-2-Output"}},"taskInfo":{"name":"for-loop-11"}}' + - name: task-name + value: for-loop-11 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1056,6 +1038,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-11"},"dependentTasks":["list-dict-maker-2"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-2-Output"}},"taskInfo":{"name":"for-loop-11"}}' + - name: task-name + value: for-loop-11 name: iteration-driver template: system-dag-driver - arguments: @@ -1087,6 +1071,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"dependentTasks":["list-dict-maker-3"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-3-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-3"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-3-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-3-Output"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1115,6 +1101,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-12"},"dependentTasks":["list-dict-maker-3"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-3-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-3"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-3-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-3-Output"}},"taskInfo":{"name":"for-loop-12"}}' + - name: task-name + value: for-loop-12 name: iteration-driver template: system-dag-driver - arguments: @@ -1146,6 +1134,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-13"},"dependentTasks":["list-dict-maker-1-2"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-1-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-1-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-1-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-1-2-Output"}},"taskInfo":{"name":"for-loop-13"}}' + - name: task-name + value: for-loop-13 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1174,6 +1164,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-13"},"dependentTasks":["list-dict-maker-1-2"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-1-2-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-1-2"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-1-2-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-1-2-Output"}},"taskInfo":{"name":"for-loop-13"}}' + - name: task-name + value: for-loop-13 name: iteration-driver template: system-dag-driver - arguments: @@ -1206,6 +1198,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[{\"A_a\": \"1\", \"B_b\": \"2\"}, {\"A_a\": \"10\", \"B_b\": \"20\"}]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1235,6 +1229,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-4"},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-3","items":{"raw":"[{\"A_a\": \"1\", \"B_b\": \"2\"}, {\"A_a\": \"10\", \"B_b\": \"20\"}]"}},"taskInfo":{"name":"for-loop-4"}}' + - name: task-name + value: for-loop-4 name: iteration-driver template: system-dag-driver - arguments: @@ -1267,6 +1263,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"iteratorPolicy":{"parallelismLimit":1},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-7","items":{"raw":"[{\"a\": 1, \"b\": 2}, {\"a\": 2, \"b\": 3}, {\"a\": 3, \"b\": 4}]"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1296,6 +1294,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-8"},"iteratorPolicy":{"parallelismLimit":1},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-7","items":{"raw":"[{\"a\": 1, \"b\": 2}, {\"a\": 2, \"b\": 3}, {\"a\": 3, \"b\": 4}]"}},"taskInfo":{"name":"for-loop-8"}}' + - name: task-name + value: for-loop-8 name: iteration-driver template: system-dag-driver - arguments: @@ -1328,6 +1328,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-9"},"dependentTasks":["list-dict-maker-0"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-0-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-0"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-0-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-0-Output"}},"taskInfo":{"name":"for-loop-9"}}' + - name: task-name + value: for-loop-9 name: iteration-item-driver template: system-dag-driver - arguments: @@ -1356,6 +1358,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-9"},"dependentTasks":["list-dict-maker-0"],"inputs":{"parameters":{"pipelinechannel--list-dict-maker-0-Output":{"taskOutputParameter":{"outputParameterKey":"Output","producerTask":"list-dict-maker-0"}}}},"parameterIterator":{"itemInput":"pipelinechannel--list-dict-maker-0-Output-loop-item","items":{"inputParameter":"pipelinechannel--list-dict-maker-0-Output"}},"taskInfo":{"name":"for-loop-9"}}' + - name: task-name + value: for-loop-9 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_params_containing_format.yaml b/test_data/compiled-workflows/pipeline_with_params_containing_format.yaml index 070191fdefe..0ae67544c43 100644 --- a/test_data/compiled-workflows/pipeline_with_params_containing_format.yaml +++ b/test_data/compiled-workflows/pipeline_with_params_containing_format.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-pipelineparam-containing-format- spec: arguments: @@ -45,77 +44,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-pipelineparam-containing-format - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -133,16 +71,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pipelineparam-containing-format + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -179,6 +149,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -208,6 +185,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -218,6 +203,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -266,62 +254,7 @@ spec: metadata: {} name: comp-for-loop-2 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-pipelineparam-containing-format - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -351,6 +284,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pipelineparam-containing-format + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -364,6 +328,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--name":{"componentInputParameter":"name"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-item-driver template: system-dag-driver - arguments: @@ -393,6 +359,8 @@ spec: - name: task value: '{"componentRef":{"name":"comp-for-loop-2"},"inputs":{"parameters":{"pipelinechannel--name":{"componentInputParameter":"name"}}},"parameterIterator":{"itemInput":"pipelinechannel--loop-item-param-1","items":{"raw":"[\"1\", \"2\"]"}},"taskInfo":{"name":"for-loop-2"}}' + - name: task-name + value: for-loop-2 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_placeholders.yaml b/test_data/compiled-workflows/pipeline_with_placeholders.yaml index d2ff8353ca9..72e86209e7a 100644 --- a/test_data/compiled-workflows/pipeline_with_placeholders.yaml +++ b/test_data/compiled-workflows/pipeline_with_placeholders.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-placeholders- spec: arguments: @@ -32,77 +31,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-placeholders - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -120,16 +58,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-placeholders + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -166,6 +136,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -195,6 +172,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -205,6 +190,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -252,62 +240,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-placeholders - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -337,6 +270,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-placeholders + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_pod_metadata.yaml b/test_data/compiled-workflows/pipeline_with_pod_metadata.yaml index 4ac0f02b6f8..5942b69ef31 100644 --- a/test_data/compiled-workflows/pipeline_with_pod_metadata.yaml +++ b/test_data/compiled-workflows/pipeline_with_pod_metadata.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-pod-metadata- spec: arguments: @@ -147,77 +146,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-pod-metadata - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -235,16 +173,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pod-metadata + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -281,6 +251,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -310,6 +287,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -320,6 +305,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -389,6 +377,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -418,6 +413,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -439,6 +442,9 @@ spec: name: metadata-1-2-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -532,6 +538,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -561,6 +574,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -594,6 +615,9 @@ spec: name: metadata-4-3-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -657,6 +681,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -686,6 +717,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -703,6 +742,9 @@ spec: name: metadata-2-0-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -772,6 +814,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -801,6 +850,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -821,6 +878,9 @@ spec: name: metadata-0-3-system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -1034,62 +1094,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-pod-metadata - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -1119,6 +1124,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-pod-metadata + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_retry.yaml b/test_data/compiled-workflows/pipeline_with_retry.yaml index 89ee66bd859..2e9c06a6e72 100644 --- a/test_data/compiled-workflows/pipeline_with_retry.yaml +++ b/test_data/compiled-workflows/pipeline_with_retry.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: test-pipeline- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - test-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -175,6 +145,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +181,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -224,6 +209,9 @@ spec: factor: '{{inputs.parameters.retry-backoff-factor}}' maxDuration: '{{inputs.parameters.retry-backoff-max-duration}}' limit: '{{inputs.parameters.retry-max-count}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -279,62 +267,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - test-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -364,6 +297,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_reused_component.yaml b/test_data/compiled-workflows/pipeline_with_reused_component.yaml index 2afa871dccb..dfe47459ac1 100644 --- a/test_data/compiled-workflows/pipeline_with_reused_component.yaml +++ b/test_data/compiled-workflows/pipeline_with_reused_component.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-reused-component- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-reused-component - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-reused-component + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -295,62 +283,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-reused-component - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -380,6 +313,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-reused-component + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_secret_as_env.yaml b/test_data/compiled-workflows/pipeline_with_secret_as_env.yaml index 853cb05d268..1310d4e33e9 100644 --- a/test_data/compiled-workflows/pipeline_with_secret_as_env.yaml +++ b/test_data/compiled-workflows/pipeline_with_secret_as_env.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-secret-env- spec: arguments: @@ -44,77 +43,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-secret-env - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -132,16 +70,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-secret-env + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -178,6 +148,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -207,6 +184,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -217,6 +202,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -291,62 +279,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-secret-env - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -376,6 +309,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-secret-env + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_secret_as_volume.yaml b/test_data/compiled-workflows/pipeline_with_secret_as_volume.yaml index 52d6c8f6929..6b2361d7c10 100644 --- a/test_data/compiled-workflows/pipeline_with_secret_as_volume.yaml +++ b/test_data/compiled-workflows/pipeline_with_secret_as_volume.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-secret-volume- spec: arguments: @@ -32,77 +31,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-secret-volume - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -120,16 +58,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-secret-volume + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -166,6 +136,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -195,6 +172,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -205,6 +190,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -254,62 +242,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-secret-volume - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -339,6 +272,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-secret-volume + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_string_machine_fields_pipeline_input.yaml b/test_data/compiled-workflows/pipeline_with_string_machine_fields_pipeline_input.yaml index 371d6cffef6..9c753a0f3a1 100644 --- a/test_data/compiled-workflows/pipeline_with_string_machine_fields_pipeline_input.yaml +++ b/test_data/compiled-workflows/pipeline_with_string_machine_fields_pipeline_input.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline- spec: arguments: @@ -25,77 +24,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -113,16 +51,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -159,6 +129,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -188,6 +165,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -198,6 +183,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -245,62 +233,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -330,6 +263,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_string_machine_fields_task_output.yaml b/test_data/compiled-workflows/pipeline_with_string_machine_fields_task_output.yaml index c351bdb1a42..25eb6bd49da 100644 --- a/test_data/compiled-workflows/pipeline_with_string_machine_fields_task_output.yaml +++ b/test_data/compiled-workflows/pipeline_with_string_machine_fields_task_output.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline- spec: arguments: @@ -77,77 +76,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -165,16 +103,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -211,6 +181,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -240,6 +217,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -250,6 +235,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -395,62 +383,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -480,6 +413,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_submit_request.yaml b/test_data/compiled-workflows/pipeline_with_submit_request.yaml index d351e3f5a9a..a995fd221ad 100644 --- a/test_data/compiled-workflows/pipeline_with_submit_request.yaml +++ b/test_data/compiled-workflows/pipeline_with_submit_request.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-external-request- spec: arguments: @@ -36,77 +35,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-external-request - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -124,16 +62,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-external-request + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -170,6 +140,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -199,6 +176,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -209,6 +194,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -280,62 +268,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-external-request - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -365,6 +298,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-external-request + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_task_final_status.yaml b/test_data/compiled-workflows/pipeline_with_task_final_status.yaml index 70722356510..a7a0cba2f99 100644 --- a/test_data/compiled-workflows/pipeline_with_task_final_status.yaml +++ b/test_data/compiled-workflows/pipeline_with_task_final_status.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-task-final-status- spec: arguments: @@ -59,77 +58,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-task-final-status - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -147,16 +85,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -193,6 +163,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -222,6 +199,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -232,6 +217,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -336,62 +324,7 @@ spec: metadata: {} name: exit-hook-root-exit-op outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-task-final-status - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -421,6 +354,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_task_final_status_yaml.yaml b/test_data/compiled-workflows/pipeline_with_task_final_status_yaml.yaml index cb0a4468173..2a2d31df2bf 100644 --- a/test_data/compiled-workflows/pipeline_with_task_final_status_yaml.yaml +++ b/test_data/compiled-workflows/pipeline_with_task_final_status_yaml.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-task-final-status-yaml- spec: arguments: @@ -24,77 +23,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-task-final-status-yaml - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -112,16 +50,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status-yaml + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -158,6 +128,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -187,6 +164,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -197,6 +182,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -276,62 +264,7 @@ spec: metadata: {} name: exit-hook-root-exit-op outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-task-final-status-yaml - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -361,6 +294,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-task-final-status-yaml + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_task_using_ignore_upstream_failure.yaml b/test_data/compiled-workflows/pipeline_with_task_using_ignore_upstream_failure.yaml index 5aa545d5e2d..0dfa33e2aa8 100644 --- a/test_data/compiled-workflows/pipeline_with_task_using_ignore_upstream_failure.yaml +++ b/test_data/compiled-workflows/pipeline_with_task_using_ignore_upstream_failure.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: my-pipeline- spec: arguments: @@ -39,77 +38,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - my-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -127,16 +65,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -173,6 +143,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -202,6 +179,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -212,6 +197,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -298,62 +286,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - my-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -383,6 +316,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: my-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_utils.yaml b/test_data/compiled-workflows/pipeline_with_utils.yaml index 9b39b37abfb..4daffd32e71 100644 --- a/test_data/compiled-workflows/pipeline_with_utils.yaml +++ b/test_data/compiled-workflows/pipeline_with_utils.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-utils- spec: arguments: @@ -29,77 +28,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-utils - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -117,16 +55,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-utils + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -163,6 +133,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +169,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -202,6 +187,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -249,62 +237,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-utils - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -334,6 +267,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-utils + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_various_io_types.yaml b/test_data/compiled-workflows/pipeline_with_various_io_types.yaml index 65e14abc675..d5cb46ed3ef 100644 --- a/test_data/compiled-workflows/pipeline_with_various_io_types.yaml +++ b/test_data/compiled-workflows/pipeline_with_various_io_types.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-various-types- spec: arguments: @@ -20,77 +19,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-various-types - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -108,16 +46,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-various-types + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -154,6 +124,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -183,6 +160,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +178,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -265,62 +253,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-various-types - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -350,6 +283,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-various-types + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_volume.yaml b/test_data/compiled-workflows/pipeline_with_volume.yaml index eca1bd84462..fde538ee630 100644 --- a/test_data/compiled-workflows/pipeline_with_volume.yaml +++ b/test_data/compiled-workflows/pipeline_with_volume.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-volume- spec: arguments: @@ -73,77 +72,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-volume - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -161,16 +99,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-volume + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -207,6 +177,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -236,6 +213,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -246,6 +231,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -352,62 +340,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-volume - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -437,6 +370,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-volume + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_volume_long_name.yaml b/test_data/compiled-workflows/pipeline_with_volume_long_name.yaml index 3aa856343a9..3a5cd7a444f 100644 --- a/test_data/compiled-workflows/pipeline_with_volume_long_name.yaml +++ b/test_data/compiled-workflows/pipeline_with_volume_long_name.yaml @@ -46,6 +46,7 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" securityContext: @@ -54,81 +55,7 @@ spec: type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - here-is-a-pipeline-very-long-name - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - inputs: + - inputs: parameters: - name: component - name: task @@ -146,16 +73,44 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: here-is-a-pipeline-very-long-name + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER securityContext: runAsNonRoot: true seccompProfile: @@ -314,70 +269,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - here-is-a-pipeline-very-long-name - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - inputs: + - inputs: parameters: - name: component - default: "" @@ -407,6 +299,33 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: here-is-a-pipeline-very-long-name + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' securityContext: runAsNonRoot: true seccompProfile: diff --git a/test_data/compiled-workflows/pipeline_with_volume_no_cache.yaml b/test_data/compiled-workflows/pipeline_with_volume_no_cache.yaml index 125bce359f5..cc22823b17a 100644 --- a/test_data/compiled-workflows/pipeline_with_volume_no_cache.yaml +++ b/test_data/compiled-workflows/pipeline_with_volume_no_cache.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-volume-no-cache- spec: arguments: @@ -73,77 +72,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-volume-no-cache - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -161,16 +99,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-volume-no-cache + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -207,6 +177,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -236,6 +213,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -246,6 +231,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -352,62 +340,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-volume-no-cache - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -437,6 +370,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-volume-no-cache + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pipeline_with_workspace.yaml b/test_data/compiled-workflows/pipeline_with_workspace.yaml index cddb959e4ff..9de15f929b5 100644 --- a/test_data/compiled-workflows/pipeline_with_workspace.yaml +++ b/test_data/compiled-workflows/pipeline_with_workspace.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pipeline-with-workspace- spec: arguments: @@ -49,77 +48,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pipeline-with-workspace - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -137,16 +75,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-workspace + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -183,6 +153,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -212,6 +189,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -222,6 +207,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -294,62 +282,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pipeline-with-workspace - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -379,6 +312,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pipeline-with-workspace + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -406,7 +370,6 @@ spec: outputs: {} volumeClaimTemplates: - metadata: - creationTimestamp: null name: kfp-workspace spec: accessModes: diff --git a/test_data/compiled-workflows/placeholder_with_if_placeholder_none_input_value.yaml b/test_data/compiled-workflows/placeholder_with_if_placeholder_none_input_value.yaml index e9d496fc9f4..4dc78bad584 100644 --- a/test_data/compiled-workflows/placeholder_with_if_placeholder_none_input_value.yaml +++ b/test_data/compiled-workflows/placeholder_with_if_placeholder_none_input_value.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: one-step-pipeline-with-if-placeholder-supply-none- spec: arguments: @@ -19,77 +18,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - one-step-pipeline-with-if-placeholder-supply-none - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -107,16 +45,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: one-step-pipeline-with-if-placeholder-supply-none + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -153,6 +123,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -182,6 +159,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -192,6 +177,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -239,62 +227,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - one-step-pipeline-with-if-placeholder-supply-none - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -324,6 +257,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: one-step-pipeline-with-if-placeholder-supply-none + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/preprocess.yaml b/test_data/compiled-workflows/preprocess.yaml index 10fca853dc5..a624bc5a52b 100644 --- a/test_data/compiled-workflows/preprocess.yaml +++ b/test_data/compiled-workflows/preprocess.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: preprocess- spec: arguments: @@ -47,77 +46,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - preprocess - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -135,16 +73,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: preprocess + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -181,6 +151,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -210,6 +187,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -220,6 +205,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -267,62 +255,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - preprocess - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -352,6 +285,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: preprocess + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/producer_consumer_param_pipeline.yaml b/test_data/compiled-workflows/producer_consumer_param_pipeline.yaml index 259ffa29b40..ba7198fb3b5 100644 --- a/test_data/compiled-workflows/producer_consumer_param_pipeline.yaml +++ b/test_data/compiled-workflows/producer_consumer_param_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: producer-consumer-param-pipeline- spec: arguments: @@ -23,77 +22,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - producer-consumer-param-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -111,16 +49,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: producer-consumer-param-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -157,6 +127,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -186,6 +163,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -196,6 +181,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -268,62 +256,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - producer-consumer-param-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -353,6 +286,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: producer-consumer-param-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pvc_mount.yaml b/test_data/compiled-workflows/pvc_mount.yaml index bcede40b7c5..f1c50f405d7 100644 --- a/test_data/compiled-workflows/pvc_mount.yaml +++ b/test_data/compiled-workflows/pvc_mount.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pvc-mount-pipeline- spec: arguments: @@ -43,77 +42,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pvc-mount-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -131,16 +69,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pvc-mount-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -177,6 +147,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -206,6 +183,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -216,6 +201,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -292,62 +280,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pvc-mount-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -377,6 +310,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pvc-mount-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pythonic_artifact_with_single_return.yaml b/test_data/compiled-workflows/pythonic_artifact_with_single_return.yaml index cac8dd85918..973a7b219e4 100644 --- a/test_data/compiled-workflows/pythonic_artifact_with_single_return.yaml +++ b/test_data/compiled-workflows/pythonic_artifact_with_single_return.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: make-language-model-pipeline- spec: arguments: @@ -36,8 +35,13 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - container: @@ -88,6 +92,14 @@ spec: requests: cpu: 100m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault inputs: parameters: - name: task @@ -97,73 +109,11 @@ spec: metadata: {} name: system-importer outputs: {} - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - make-language-model-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - inputs: parameters: - name: component - name: task @@ -181,16 +131,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: make-language-model-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -227,6 +209,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -256,6 +245,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -266,6 +263,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -326,62 +326,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - make-language-model-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -411,6 +356,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: make-language-model-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pythonic_artifacts_test_pipeline.yaml b/test_data/compiled-workflows/pythonic_artifacts_test_pipeline.yaml index cfdd6da2967..757bff26884 100644 --- a/test_data/compiled-workflows/pythonic_artifacts_test_pipeline.yaml +++ b/test_data/compiled-workflows/pythonic_artifacts_test_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: pythonic-artifacts-test- spec: arguments: @@ -44,77 +43,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - pythonic-artifacts-test - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -132,16 +70,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pythonic-artifacts-test + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -178,6 +148,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -207,6 +184,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -217,6 +202,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -289,62 +277,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - pythonic-artifacts-test - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -374,6 +307,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: pythonic-artifacts-test + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/pythonic_artifacts_with_list_of_artifacts.yaml b/test_data/compiled-workflows/pythonic_artifacts_with_list_of_artifacts.yaml index 2411f1687dc..ac6a7e4c29c 100644 --- a/test_data/compiled-workflows/pythonic_artifacts_with_list_of_artifacts.yaml +++ b/test_data/compiled-workflows/pythonic_artifacts_with_list_of_artifacts.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: make-and-join-datasets- spec: arguments: @@ -45,77 +44,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - make-and-join-datasets - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -133,16 +71,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: make-and-join-datasets + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -179,6 +149,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -208,6 +185,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -218,6 +203,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -265,62 +253,7 @@ spec: metadata: {} name: comp-for-loop-1 outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - make-and-join-datasets - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -350,6 +283,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: make-and-join-datasets + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -362,6 +326,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--texts":{"componentInputParameter":"texts"}}},"parameterIterator":{"itemInput":"pipelinechannel--texts-loop-item","items":{"inputParameter":"pipelinechannel--texts"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-item-driver template: system-dag-driver - arguments: @@ -390,6 +356,8 @@ spec: value: '{{inputs.parameters.parent-dag-id}}' - name: task value: '{"componentRef":{"name":"comp-for-loop-1"},"inputs":{"parameters":{"pipelinechannel--texts":{"componentInputParameter":"texts"}}},"parameterIterator":{"itemInput":"pipelinechannel--texts-loop-item","items":{"inputParameter":"pipelinechannel--texts"}},"taskInfo":{"name":"for-loop-1"}}' + - name: task-name + value: for-loop-1 name: iteration-driver template: system-dag-driver - arguments: diff --git a/test_data/compiled-workflows/pythonic_artifacts_with_multiple_returns.yaml b/test_data/compiled-workflows/pythonic_artifacts_with_multiple_returns.yaml index dddec14a6f0..9a46c8aa408 100644 --- a/test_data/compiled-workflows/pythonic_artifacts_with_multiple_returns.yaml +++ b/test_data/compiled-workflows/pythonic_artifacts_with_multiple_returns.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: split-datasets-and-return-first- spec: arguments: @@ -50,77 +49,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - split-datasets-and-return-first - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -138,16 +76,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: split-datasets-and-return-first + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -184,6 +154,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -213,6 +190,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -223,6 +208,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -270,62 +258,7 @@ spec: metadata: {} name: comp-splitter-pipeline outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - split-datasets-and-return-first - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -355,6 +288,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: split-datasets-and-return-first + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/ray_integration_compiled.yaml b/test_data/compiled-workflows/ray_integration_compiled.yaml index 5d7195424bd..4f5e0df8877 100644 --- a/test_data/compiled-workflows/ray_integration_compiled.yaml +++ b/test_data/compiled-workflows/ray_integration_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: ray-integration-test- spec: arguments: @@ -90,77 +89,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - ray-integration-test - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -178,16 +116,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: ray-integration-test + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -224,6 +194,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -253,6 +230,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -263,6 +248,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -310,62 +298,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - ray-integration-test - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -395,6 +328,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: ray-integration-test + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/run_as_user_cache_disabled.yaml b/test_data/compiled-workflows/run_as_user_cache_disabled.yaml index 4af364a3391..3631b46bb1c 100644 --- a/test_data/compiled-workflows/run_as_user_cache_disabled.yaml +++ b/test_data/compiled-workflows/run_as_user_cache_disabled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,83 +15,17 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" securityContext: + runAsNonRoot: true runAsUser: 1001 seccompProfile: type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --log_level - - "3" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -110,16 +43,49 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + log_level: "3" + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -156,6 +122,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -187,6 +160,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -197,6 +178,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -244,64 +228,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --log_level - - "3" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -331,6 +258,38 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + log_level: "3" + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/run_as_user_cache_enabled.yaml b/test_data/compiled-workflows/run_as_user_cache_enabled.yaml index 4af364a3391..3631b46bb1c 100644 --- a/test_data/compiled-workflows/run_as_user_cache_enabled.yaml +++ b/test_data/compiled-workflows/run_as_user_cache_enabled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: echo- spec: arguments: @@ -16,83 +15,17 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" securityContext: + runAsNonRoot: true runAsUser: 1001 seccompProfile: type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --log_level - - "3" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -110,16 +43,49 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + log_level: "3" + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -156,6 +122,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -187,6 +160,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -197,6 +178,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -244,64 +228,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - echo - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - - --log_level - - "3" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -331,6 +258,38 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + log_level: "3" + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: echo + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/sequential_v1.yaml b/test_data/compiled-workflows/sequential_v1.yaml index ea01855af8c..564d71d6b98 100644 --- a/test_data/compiled-workflows/sequential_v1.yaml +++ b/test_data/compiled-workflows/sequential_v1.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: sequential- spec: arguments: @@ -16,77 +15,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - sequential - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -104,16 +42,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: sequential + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -150,6 +120,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -179,6 +156,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -189,6 +174,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -260,62 +248,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - sequential - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -345,6 +278,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: sequential + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/sequential_v2.yaml b/test_data/compiled-workflows/sequential_v2.yaml index 9e4c0acce3a..55cb33a69f8 100644 --- a/test_data/compiled-workflows/sequential_v2.yaml +++ b/test_data/compiled-workflows/sequential_v2.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: sequential- spec: arguments: @@ -20,77 +19,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - sequential - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -108,16 +46,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: sequential + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -154,6 +124,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -183,6 +160,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -193,6 +178,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -265,62 +253,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - sequential - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -350,6 +283,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: sequential + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/take_nap_compiled.yaml b/test_data/compiled-workflows/take_nap_compiled.yaml index f83a8ee3edf..20374ab81c1 100644 --- a/test_data/compiled-workflows/take_nap_compiled.yaml +++ b/test_data/compiled-workflows/take_nap_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: take-nap-pipeline- spec: arguments: @@ -41,77 +40,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - take-nap-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -129,16 +67,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: take-nap-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -175,6 +145,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +181,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -214,6 +199,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -286,62 +274,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - take-nap-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -371,6 +304,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: take-nap-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/take_nap_pipeline_root_compiled.yaml b/test_data/compiled-workflows/take_nap_pipeline_root_compiled.yaml index f83a8ee3edf..20374ab81c1 100644 --- a/test_data/compiled-workflows/take_nap_pipeline_root_compiled.yaml +++ b/test_data/compiled-workflows/take_nap_pipeline_root_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: take-nap-pipeline- spec: arguments: @@ -41,77 +40,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - take-nap-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -129,16 +67,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: take-nap-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -175,6 +145,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -204,6 +181,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -214,6 +199,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -286,62 +274,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - take-nap-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -371,6 +304,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: take-nap-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/two_step_pipeline.yaml b/test_data/compiled-workflows/two_step_pipeline.yaml index 10cbeeb1180..f5fa6c6a735 100644 --- a/test_data/compiled-workflows/two_step_pipeline.yaml +++ b/test_data/compiled-workflows/two_step_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: simple-two-step-pipeline- spec: arguments: @@ -21,77 +20,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - simple-two-step-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -109,16 +47,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: simple-two-step-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -155,6 +125,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -184,6 +161,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -194,6 +179,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -266,62 +254,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - simple-two-step-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -351,6 +284,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: simple-two-step-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/two_step_pipeline_containerized.yaml b/test_data/compiled-workflows/two_step_pipeline_containerized.yaml index dd9cd00470b..04bd2608f1f 100644 --- a/test_data/compiled-workflows/two_step_pipeline_containerized.yaml +++ b/test_data/compiled-workflows/two_step_pipeline_containerized.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: containerized-two-step-pipeline- spec: arguments: @@ -22,77 +21,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - containerized-two-step-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -110,16 +48,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: containerized-two-step-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -156,6 +126,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -185,6 +162,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -195,6 +180,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -267,62 +255,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - containerized-two-step-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -352,6 +285,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: containerized-two-step-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/upload_download_compiled.yaml b/test_data/compiled-workflows/upload_download_compiled.yaml index 2f60d9239ac..faee48c16a0 100644 --- a/test_data/compiled-workflows/upload_download_compiled.yaml +++ b/test_data/compiled-workflows/upload_download_compiled.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: test-data-passing-pipeline-1- spec: arguments: @@ -80,77 +79,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - test-data-passing-pipeline-1 - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -168,16 +106,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-data-passing-pipeline-1 + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -214,6 +184,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -243,6 +220,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -253,6 +238,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -350,62 +338,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - test-data-passing-pipeline-1 - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -435,6 +368,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: test-data-passing-pipeline-1 + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/compiled-workflows/xgboost_sample_pipeline.yaml b/test_data/compiled-workflows/xgboost_sample_pipeline.yaml index 44760145680..b4fe9086b0f 100644 --- a/test_data/compiled-workflows/xgboost_sample_pipeline.yaml +++ b/test_data/compiled-workflows/xgboost_sample_pipeline.yaml @@ -1,7 +1,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: - creationTimestamp: null generateName: xgboost-sample-pipeline- spec: arguments: @@ -284,77 +283,16 @@ spec: podMetadata: annotations: pipelines.kubeflow.org/v2_component: "true" + sidecar.istio.io/inject: "false" labels: pipelines.kubeflow.org/v2_component: "true" + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: pipeline-runner templates: - - container: - args: - - --type - - CONTAINER - - --pipeline_name - - xgboost-sample-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --container - - '{{inputs.parameters.container}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --cached_decision_path - - '{{outputs.parameters.cached-decision.path}}' - - --pod_spec_patch_path - - '{{outputs.parameters.pod-spec-patch.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --kubernetes_config - - '{{inputs.parameters.kubernetes-config}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - env: - - name: KFP_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KFP_POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - name: task @@ -372,16 +310,48 @@ spec: - name: pod-spec-patch valueFrom: default: "" - path: /tmp/outputs/pod-spec-patch + jsonPath: $.pod-spec-patch - default: "false" name: cached-decision valueFrom: default: "false" - path: /tmp/outputs/cached-decision + jsonPath: $.cached-decision - name: condition valueFrom: default: "true" - path: /tmp/outputs/condition + jsonPath: $.condition + plugin: + driver-plugin: + args: + cache_disabled: false + cached_decision_path: '{{outputs.parameters.cached-decision.path}}' + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + container: '{{inputs.parameters.container}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + http_proxy: "" + https_proxy: "" + iteration_index: '{{inputs.parameters.iteration-index}}' + kubernetes_config: '{{inputs.parameters.kubernetes-config}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: xgboost-sample-pipeline + pod_spec_patch_path: '{{outputs.parameters.pod-spec-patch.path}}' + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: CONTAINER + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: @@ -418,6 +388,13 @@ spec: image: gcr.io/ml-pipeline/should-be-overridden-during-runtime name: "" resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -447,6 +424,14 @@ spec: memory: 128Mi requests: cpu: 100m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /kfp-launcher name: kfp-launcher @@ -457,6 +442,9 @@ spec: name: system-container-impl outputs: {} podSpecPatch: '{{inputs.parameters.pod-spec-patch}}' + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - emptyDir: {} name: kfp-launcher @@ -680,62 +668,7 @@ spec: metadata: {} name: root outputs: {} - - container: - args: - - --type - - '{{inputs.parameters.driver-type}}' - - --pipeline_name - - xgboost-sample-pipeline - - --run_id - - '{{workflow.uid}}' - - --run_name - - '{{workflow.name}}' - - --run_display_name - - "" - - --dag_execution_id - - '{{inputs.parameters.parent-dag-id}}' - - --component - - '{{inputs.parameters.component}}' - - --task - - '{{inputs.parameters.task}}' - - --task_name - - '{{inputs.parameters.task-name}}' - - --runtime_config - - '{{inputs.parameters.runtime-config}}' - - --iteration_index - - '{{inputs.parameters.iteration-index}}' - - --execution_id_path - - '{{outputs.parameters.execution-id.path}}' - - --iteration_count_path - - '{{outputs.parameters.iteration-count.path}}' - - --condition_path - - '{{outputs.parameters.condition.path}}' - - --http_proxy - - "" - - --https_proxy - - "" - - --no_proxy - - "" - - --ml_pipeline_server_address - - ml-pipeline.kubeflow.svc.cluster.local - - --ml_pipeline_server_port - - "8887" - - --mlmd_server_address - - metadata-grpc-service.kubeflow.svc.cluster.local - - --mlmd_server_port - - "8080" - command: - - driver - image: ghcr.io/kubeflow/kfp-driver:latest - name: "" - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 64Mi - inputs: + - inputs: parameters: - name: component - default: "" @@ -765,6 +698,37 @@ spec: valueFrom: default: "true" path: /tmp/outputs/condition + plugin: + driver-plugin: + args: + cache_disabled: false + component: '{{inputs.parameters.component}}' + condition_path: '{{outputs.parameters.condition.path}}' + dag_execution_id: '{{inputs.parameters.parent-dag-id}}' + execution_id_path: '{{outputs.parameters.execution-id.path}}' + http_proxy: "" + https_proxy: "" + iteration_count_path: '{{outputs.parameters.iteration-count.path}}' + iteration_index: '{{inputs.parameters.iteration-index}}' + metadata_tls_enabled: false + ml_pipeline_server_address: ml-pipeline.kubeflow.svc.cluster.local + ml_pipeline_server_port: "8887" + ml_pipeline_tls_enabled: false + mlmd_server_address: metadata-grpc-service.kubeflow.svc.cluster.local + mlmd_server_port: "8080" + no_proxy: "" + pipeline_name: xgboost-sample-pipeline + run_display_name: "" + run_id: '{{workflow.uid}}' + run_name: '{{workflow.name}}' + runtime_config: '{{inputs.parameters.runtime-config}}' + task: '{{inputs.parameters.task}}' + task_name: '{{inputs.parameters.task-name}}' + type: '{{inputs.parameters.driver-type}}' + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - dag: tasks: - arguments: diff --git a/test_data/kubernetes/seaweedfs/kubeflow-edit-clusterrole.yaml b/test_data/kubernetes/seaweedfs/kubeflow-edit-clusterrole.yaml index bdf84eb8391..b27a925bf69 100644 --- a/test_data/kubernetes/seaweedfs/kubeflow-edit-clusterrole.yaml +++ b/test_data/kubernetes/seaweedfs/kubeflow-edit-clusterrole.yaml @@ -44,3 +44,6 @@ rules: - update - patch - delete +- apiGroups: ["argoproj.io"] + resources: ["workflowtasksets/status", "workflowtasksets"] + verbs: ["get","list","watch","update","patch","delete","create"]