baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(jupyterhub): set pod security standards

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-23 14:59:25 +09:00
parent 2f6e9dcba8
commit b2bc03013c
2 changed files with 30 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
jupyterhub/jupyterhub-values.gomplate.yaml
View File

@@ -73,6 +73,14 @@ hub:
with open('/srv/jupyterhub/pre_spawn_hook.py', 'r') as f: with open('/srv/jupyterhub/pre_spawn_hook.py', 'r') as f:
exec(f.read()) exec(f.read())
configure-security-context: |
# Configure container security context for restricted Pod Security Standard
c.KubeSpawner.container_security_context = {
'capabilities': {
'drop': ['ALL']
}
}
{{- if eq .Env.JUPYTERHUB_VAULT_INTEGRATION_ENABLED "true" }} {{- if eq .Env.JUPYTERHUB_VAULT_INTEGRATION_ENABLED "true" }}
# Vault token renewal sidecar configuration # Vault token renewal sidecar configuration
extraVolumes: extraVolumes:
@@ -155,6 +163,21 @@ proxy:
type: ClusterIP type: ClusterIP
singleuser: singleuser:
# Disable block-cloud-metadata sidecar for restricted Pod Security Standard compliance
# Not needed in self-hosted environments without cloud metadata services
cloudMetadata:
blockWithIptables: false
# Pod Security Standard (restricted) compliance
allowPrivilegeEscalation: false
# Additional security context via extraPodConfig
extraPodConfig:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
storage: storage:
{{ if env.Getenv "PVC_NAME" -}} {{ if env.Getenv "PVC_NAME" -}}
type: static type: static
@@ -180,6 +203,10 @@ singleuser:
{{- if eq .Env.JUPYTERHUB_GPU_ENABLED "true" }} {{- if eq .Env.JUPYTERHUB_GPU_ENABLED "true" }}
extraPodConfig: extraPodConfig:
runtimeClassName: nvidia runtimeClassName: nvidia
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
extraResource: extraResource:
limits: limits:
nvidia.com/gpu: "{{ .Env.JUPYTERHUB_GPU_LIMIT }}" nvidia.com/gpu: "{{ .Env.JUPYTERHUB_GPU_LIMIT }}"
@@ -206,7 +233,6 @@ singleuser:
- name: airflow-dags - name: airflow-dags
persistentVolumeClaim: persistentVolumeClaim:
claimName: airflow-dags-pvc claimName: airflow-dags-pvc
optional: true # Don't fail if PVC doesn't exist yet
extraVolumeMounts: extraVolumeMounts:
- name: airflow-dags - name: airflow-dags
mountPath: /home/jovyan/airflow-dags mountPath: /home/jovyan/airflow-dags

18
jupyterhub/justfile
View File

@@ -110,6 +110,9 @@ install root_token='':
just create-namespace just create-namespace
kubectl label namespace ${JUPYTERHUB_NAMESPACE} \
pod-security.kubernetes.io/enforce=restricted --overwrite
# Create crypt key secret if it doesn't exist # Create crypt key secret if it doesn't exist
if ! kubectl get secret jupyterhub-crypt-key -n ${JUPYTERHUB_NAMESPACE} &>/dev/null; then if ! kubectl get secret jupyterhub-crypt-key -n ${JUPYTERHUB_NAMESPACE} &>/dev/null; then
just create-crypt-key-secret just create-crypt-key-secret
@@ -394,21 +397,6 @@ create-jupyterhub-vault-token root_token='':
VAULT_TOKEN=$(gum input --prompt="Vault root token: " --password --width=100) VAULT_TOKEN=$(gum input --prompt="Vault root token: " --password --width=100)
done done
echo "Creating JupyterHub admin Vault token"
# jupyterhub-admin policy should exist (created by setup-vault-integration)
# Check if token already exists
if vault kv get secret/jupyterhub/vault-token >/dev/null 2>&1; then
echo "Existing admin token found at secret/jupyterhub/vault-token"
if gum confirm "Replace existing token with new one?"; then
echo "Creating new admin token..."
else
echo "Using existing token"
return 0
fi
fi
# Create admin vault token with unlimited max TTL # Create admin vault token with unlimited max TTL
echo "" echo ""
echo "Creating admin token (TTL: ${JUPYTERHUB_VAULT_TOKEN_TTL}, Max TTL: unlimited)..." echo "Creating admin token (TTL: ${JUPYTERHUB_VAULT_TOKEN_TTL}, Max TTL: unlimited)..."