feat: Add security contexts to controller managers (#2759)

kunal-511 · juliusvonkohout · web-flow · commit 58ff1b79eb93 · 2025-08-06T14:10:54.000Z
* Add security contexts to controller managers

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

* Fix indentation

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

* Update label

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

* Update manager.yaml

Signed-off-by: Julius von Kohout &lt;45896133+juliusvonkohout@users.noreply.github.com&gt;

* Update jobset_security_context.yaml

Signed-off-by: Julius von Kohout &lt;45896133+juliusvonkohout@users.noreply.github.com&gt;

* Updated helm charts for the jobset security context

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

* Removed already there in upstream

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

* add security context to helm charts

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;

---------

Signed-off-by: kunal-511 &lt;yoyokvunal@gmail.com&gt;
Signed-off-by: Julius von Kohout &lt;45896133+juliusvonkohout@users.noreply.github.com&gt;
Co-authored-by: Julius von Kohout &lt;45896133+juliusvonkohout@users.noreply.github.com&gt;
diff --git a/charts/kubeflow-trainer/values.yaml b/charts/kubeflow-trainer/values.yaml
@@ -92,16 +92,14 @@ manager:
     #   memory: 300Mi
 
   # -- Security context for manager containers.
-  securityContext: {}
-    # readOnlyRootFilesystem: true
-    # privileged: false
-    # allowPrivilegeEscalation: false
-    # runAsNonRoot: true
-    # capabilities:
-    #   drop:
-    #   - ALL
-    # seccompProfile:
-    #   type: RuntimeDefault
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    capabilities:
+      drop:
+      - ALL
+    seccompProfile:
+      type: RuntimeDefault
 
 webhook:
   # -- Specifies how unrecognized errors are handled.
diff --git a/manifests/base/manager/manager.yaml b/manifests/base/manager/manager.yaml
@@ -23,6 +23,14 @@ spec:
       containers:
         - name: manager
           image: ghcr.io/kubeflow/trainer/trainer-controller-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert
