Configure user workloads to run unprivileged

This guide describes how to configure Charmed Kubeflow (CKF) to run all user-generated workloads without elevated permissions. This is accomplished by configuring the Pod Security Standards for different levels of privileges for workloads running on namespaces associated with Kubeflow Profiles.

Requirements

• A Charmed Kubeflow deployment with version 1.10 or later.

• Revision 765 or later of the kubeflow-profiles charm. You can view the currently used revision with:

sudo apt install -y jq
juju status kubeflow-profiles --format=json | jq '.applications["kubeflow-profiles"]["charm-rev"]'

• The Istio CNI plugin has been enabled. See enable Istio CNI plugin for more details.

Configure Pod Security Standards in Kubeflow Profiles

CKF security policies are based on the Kubernetes Pod Security Standards, which use control plane mechanisms to enforce security settings. You can view the currently used security policy in your deployment by running:

juju config kubeflow-profiles security-policy

Note

The restricted policy is currently not supported in Charmed Kubeflow.

Configure baseline policy

Configure the security policy in kubeflow-profiles to baseline by running:

juju config kubeflow-profiles security-policy=baseline

The deployment should now be configured to enforce the baseline pod security standards policy in all user-generated workloads. To learn more about the allowed permissions in the baseline policy, refer to the Kubernetes documentation.

Configure privileged policy

If you don’t want to enforce a more restrictive policy, you can set the security policy in kubeflow-profiles to privileged:

juju config kubeflow-profiles security-policy=privileged