Charts' device value files override component security contexts #815
Description
Several application values files change component securityContext, for example setting (container) root FS to be writable:
$ git grep -e '^[^#].*securityContext' -e ^[^#].*readOnlyRoot.*false | grep -v -e common/ -e templates
chatqna/gaudi-tgi-values.yaml: securityContext:
chatqna/gaudi-tgi-values.yaml: readOnlyRootFilesystem: false
chatqna/gaudi-vllm-values.yaml: securityContext:
chatqna/gaudi-vllm-values.yaml: readOnlyRootFilesystem: false
chatqna/guardrails-gaudi-values.yaml: securityContext:
chatqna/guardrails-gaudi-values.yaml: readOnlyRootFilesystem: false
searchqna/gaudi-values.yaml: securityContext:
searchqna/gaudi-values.yaml: readOnlyRootFilesystem: false
Those overrides are for tei & teirerank components, which seem to have same override for Gaudi, but I think that's wrong. Either component needs to write root FS or not, it should not depend on which device is used:
$ git grep ^[^#].*readOnlyRoot.*false | grep common/
common/agent/values.yaml: readOnlyRootFilesystem: false
common/chathistory-usvc/values.yaml: readOnlyRootFilesystem: false
common/data-prep/values.yaml: readOnlyRootFilesystem: false
common/llm-uservice/values.yaml: readOnlyRootFilesystem: false
common/lvm-serve/values.yaml: readOnlyRootFilesystem: false
common/lvm-uservice/values.yaml: readOnlyRootFilesystem: false
common/mm-embedding/values.yaml: readOnlyRootFilesystem: false
common/prompt-usvc/values.yaml: readOnlyRootFilesystem: false
common/retriever-usvc/values.yaml: readOnlyRootFilesystem: false
common/speecht5/values.yaml: readOnlyRootFilesystem: false
common/tei/gaudi-values.yaml: readOnlyRootFilesystem: false <====
common/teirerank/gaudi-values.yaml: readOnlyRootFilesystem: false <====
common/whisper/values.yaml: readOnlyRootFilesystem: false
I'm pretty sure those overrides were made redundant with #613 and #642.
latest testing status for true readOnlyRootFileSystem settings of charts under common directory.
- agent: Verified support readOnlyRootFilesystem
- chathistory-usvc: verified support readOnlyRootFilesystem
- data-prep: PR Add readOnlyRootFileSystem for dataprep and retriever #867. depends on [CI Feature] functional gap and code duplications in dataprep CI test GenAIComps#1324, [Bug] can NOT ingest pptx files with embedded image to dataprep microservice GenAIComps#1325
- gpt-sovits: verified NOT support readOnlyRootFilesystem. nltk need to download data to local directory during runtime.
- llm-uservice: verified NOT support readOnlyRootFilesystem. docsum/faqgen needs to install langserve python module during runtime.
- lvm-serve: verified NOT support readOnlyRootFilesystem. llama-vision needs to write files to current local directory during runtime.
- lvm-uservice: verified support readOnlyRootFilesystem
- mm-embedding: verified NOT support readOnlyRootFilesystem. embedding-multimodal-bridgetower needs to create logfiles in the local directory during runtime. Found bug [Bug] service embedding-multimodal-bridgetower can not be launched GenAIComps#1370
- nginx: verified with minimal securityContext.
- prompt-usvc: verified support readOnlyRootFilesystem
- retriever-usvc: PR Add readOnlyRootFileSystem for dataprep and retriever #867. depends on dataprep.
- speecht5: verified NOT support readOnlyRootFilesystem. service itself needs to download files to local current directory.
- tei: verified NOT support readOnlyRootFilesystem in tei-gaudi case. Pod crashes for with no clue of where the tei-gaudi image is want to write into filesystem.
- teirerank: same as tei
- text2image: verified support readOnlyRootFilesystem
- whisper: verified NOT support readOnlyRootFilesystem. service needs to write to the local current directory during runtime.
- ui: depends on issue [UI] UI container should NOT run with root privilege GenAIExamples#517
- vllm: PR vllm: Add securityContxt settings #874