From 580147a572cd549f8d92f2a81a9db2a05fbd0b6e Mon Sep 17 00:00:00 2001
From: biswassri <srijoni.biswas1994@gmail.com>
Date: Sat, 14 Dec 2024 21:02:59 -0500
Subject: [PATCH] Updating server,ui,visualization,veiwercrd deployment yaml

Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
---
 .../pipeline/ml-pipeline-apiserver-deployment.yaml     | 10 ++++++++++
 .../base/pipeline/ml-pipeline-ui-deployment.yaml       | 10 ++++++++++
 .../pipeline/ml-pipeline-viewer-crd-deployment.yaml    | 10 ++++++++++
 .../pipeline/ml-pipeline-visualization-deployment.yaml | 10 ++++++++++
 4 files changed, 40 insertions(+)

diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
index cd80133596f..244d9e07b10 100644
--- a/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
+++ b/manifests/kustomize/base/pipeline/ml-pipeline-apiserver-deployment.yaml
@@ -156,6 +156,16 @@ spec:
           failureThreshold: 12
           periodSeconds: 5
           timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         resources:
           requests:
             cpu: 250m
diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml
index adfcfc9f928..be27565c94b 100644
--- a/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml
+++ b/manifests/kustomize/base/pipeline/ml-pipeline-ui-deployment.yaml
@@ -29,6 +29,16 @@ spec:
         - name: config-volume
           mountPath: /etc/config
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         env:
           - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
             value: /etc/config/viewer-pod-template.json
diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml
index 9e101b9f6c4..fba7ec62e79 100644
--- a/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml
+++ b/manifests/kustomize/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml
@@ -26,4 +26,14 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL    
       serviceAccountName: ml-pipeline-viewer-crd-service-account
diff --git a/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml b/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml
index b6d1e1184e6..095c74dc4de 100644
--- a/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml
+++ b/manifests/kustomize/base/pipeline/ml-pipeline-visualization-deployment.yaml
@@ -46,6 +46,16 @@ spec:
           initialDelaySeconds: 3
           periodSeconds: 5
           timeoutSeconds: 2
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL
         resources:
             requests:
               cpu: 30m