Skip to content

Commit 6794338

Browse files
adamschmidtadamschmidt
authored
fix: Bytewax materializer security context (#3573)
* fix: Bytewax materializer security context Signed-off-by: adamschmidt <[email protected]> * fix: lint Signed-off-by: adamschmidt <[email protected]> * chore: docs Signed-off-by: adamschmidt <[email protected]> --------- Signed-off-by: adamschmidt <[email protected]>
1 parent 67acc01 commit 6794338

File tree

2 files changed

+25
-10
lines changed

2 files changed

+25
-10
lines changed

docs/reference/batch-materialization/bytewax.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ batch_engine:
5858
image_pull_secrets:
5959
- my_container_secret
6060
service_account_name: my-k8s-service-account
61+
include_security_context_capabilities: false
6162
annotations:
6263
# example annotation you might include if running on AWS EKS
6364
iam.amazonaws.com/role: arn:aws:iam::<account number>:role/MyBytewaxPlatformRole
@@ -73,8 +74,9 @@ batch_engine:
7374
**Notes:**
7475

7576
* The `namespace` configuration directive specifies which Kubernetes [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) jobs, services and configuration maps will be created in.
76-
* The `image_pull_secrets` configuration directive specifies the pre-configured secret to use when pulling the image container from your registry
77-
* The `service_account_name` specifies which Kubernetes service account to run the job under
77+
* The `image_pull_secrets` configuration directive specifies the pre-configured secret to use when pulling the image container from your registry.
78+
* The `service_account_name` specifies which Kubernetes service account to run the job under.
79+
* The `include_security_context_capabilities` flag indicates whether or not `"add": ["NET_BIND_SERVICE"]` and `"drop": ["ALL"]` are included in the job & pod security context capabilities.
7880
* `annotations` allows you to include additional Kubernetes annotations to the job. This is particularly useful for IAM roles which grant the running pod access to cloud platform resources (for example).
7981
* The `resources` configuration directive sets the standard Kubernetes [resource requests](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the job containers to utilise when materializing data.
8082

sdk/python/feast/infra/materialization/contrib/bytewax/bytewax_materialization_engine.py

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@ class BytewaxMaterializationEngineConfig(FeastConfigBaseModel):
5858
annotations: dict = {}
5959
""" (optional) Annotations to apply to the job container. Useful for linking the service account to IAM roles, operational metadata, etc """
6060

61+
include_security_context_capabilities: bool = True
62+
""" (optional) Include security context capabilities in the init and job container spec """
63+
6164

6265
class BytewaxMaterializationEngine(BatchMaterializationEngine):
6366
def __init__(
@@ -198,6 +201,9 @@ def _create_configuration_map(self, job_id, paths, feature_view, namespace):
198201
"apiVersion": "v1",
199202
"metadata": {
200203
"name": f"feast-{job_id}",
204+
"labels": {
205+
"feast-bytewax-materializer": "configmap",
206+
},
201207
},
202208
"data": {
203209
"feature_store.yaml": feature_store_configuration,
@@ -247,12 +253,22 @@ def _create_job_definition(self, job_id, namespace, pods, env):
247253
# Add any Feast configured environment variables
248254
job_env.extend(env)
249255

256+
securityContextCapabilities = None
257+
if self.batch_engine_config.include_security_context_capabilities:
258+
securityContextCapabilities = {
259+
"add": ["NET_BIND_SERVICE"],
260+
"drop": ["ALL"],
261+
}
262+
250263
job_definition = {
251264
"apiVersion": "batch/v1",
252265
"kind": "Job",
253266
"metadata": {
254267
"name": f"dataflow-{job_id}",
255268
"namespace": namespace,
269+
"labels": {
270+
"feast-bytewax-materializer": "job",
271+
},
256272
},
257273
"spec": {
258274
"ttlSecondsAfterFinished": 3600,
@@ -262,6 +278,9 @@ def _create_job_definition(self, job_id, namespace, pods, env):
262278
"template": {
263279
"metadata": {
264280
"annotations": self.batch_engine_config.annotations,
281+
"labels": {
282+
"feast-bytewax-materializer": "pod",
283+
},
265284
},
266285
"spec": {
267286
"restartPolicy": "Never",
@@ -282,10 +301,7 @@ def _create_job_definition(self, job_id, namespace, pods, env):
282301
"resources": {},
283302
"securityContext": {
284303
"allowPrivilegeEscalation": False,
285-
"capabilities": {
286-
"add": ["NET_BIND_SERVICE"],
287-
"drop": ["ALL"],
288-
},
304+
"capabilities": securityContextCapabilities,
289305
"readOnlyRootFilesystem": True,
290306
},
291307
"terminationMessagePath": "/dev/termination-log",
@@ -320,10 +336,7 @@ def _create_job_definition(self, job_id, namespace, pods, env):
320336
"resources": self.batch_engine_config.resources,
321337
"securityContext": {
322338
"allowPrivilegeEscalation": False,
323-
"capabilities": {
324-
"add": ["NET_BIND_SERVICE"],
325-
"drop": ["ALL"],
326-
},
339+
"capabilities": securityContextCapabilities,
327340
"readOnlyRootFilesystem": False,
328341
},
329342
"terminationMessagePath": "/dev/termination-log",

0 commit comments

Comments
 (0)