Skip to content

Harden bedrock migration Job for Kyverno#2782

Merged
Daniel-Fan merged 9 commits intoIBM:masterfrom
YCShen1010:kyverno
Mar 26, 2026
Merged

Harden bedrock migration Job for Kyverno#2782
Daniel-Fan merged 9 commits intoIBM:masterfrom
YCShen1010:kyverno

Conversation

@YCShen1010
Copy link
Copy Markdown
Contributor

@YCShen1010 YCShen1010 commented Mar 25, 2026

What this PR does / why we need it:
Make the bedrock migration Job Kyverno-compliant by adding resource requests/limits, supporting pinned image references, and hardening container/pod security while providing a writable tmp volume.

Which issue(s) this PR fixes:
Fixes # https://github.ibm.com/IBMPrivateCloud/roadmap/issues/68808/#issuecomment-181904012

Changes: :

  • Added resources.requests and resources.limits
  • Replaced fixed image with templated support for cpfs.utilsImage or tag + optional cpfs.imageDigest.
  • Added container securityContext (runAsNonRoot, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true).
  • Mounted an emptyDir at tmp
  • Added pod volumes so ephemeral writes still work.

@YCShen1010
include resouces requests/limits
a04c126 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Enhance security context
80e1954 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Add volume mounts and emptyDir for temporary storage
3f2c04e 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Refactor image definition for better readability
e5cf95e 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Update image configuration to use utilsImageDigest
66c45cd 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
Daniel-Fan
Daniel-Fan requested changes Mar 26, 2026
View reviewed changes
Comment thread bedrock-migration/templates/bedrock-migration-job.yaml Outdated
{{- if .Values.cpfs.utilsImageDigest }}
{{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand }}/cpfs-utils@{{ .Values.cpfs.utilsImageDigest }}
{{- else }}
{{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand }}/cpfs-utils:latest
Copy link
Copy Markdown
Contributor

@Daniel-Fan Daniel-Fan Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hold the PR for now. Will need to discuss with CICD about how image digest is delivered during the build process.

@YCShen1010
change image back to latest
5405166 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Remove pod-level security context
4a2e37e 
Signed-off-by: Sophie Shen <syc_libra@live.cn>
@YCShen1010
Copy link
Copy Markdown
Contributor Author

YCShen1010 commented Mar 26, 2026

Run:

helm template test . > job.yaml
oc apply -f job.yaml

Local test result:

✗ oc apply -f job.yaml
job.batch/bedrock-migration-job unchanged
serviceaccount/bedrock-migration-job-sa unchanged
role.rbac.authorization.k8s.io/bedrock-migration-job-role-migrationjob unchanged
role.rbac.authorization.k8s.io/bedrock-migration-job-role unchanged
role.rbac.authorization.k8s.io/bedrock-migration-job-role unchanged
rolebinding.rbac.authorization.k8s.io/bedrock-migration-job-rb-migrationjob unchanged
rolebinding.rbac.authorization.k8s.io/bedrock-migration-job-rb unchanged
rolebinding.rbac.authorization.k8s.io/bedrock-migration-job-rb unchanged

pod completed
Screenshot 2026-03-26 at 10 50 02 AM

@YCShen1010 YCShen1010 requested a review from Daniel-Fan March 26, 2026 14:55
YCShen1010 and others added 2 commits March 26, 2026 08:14
Daniel-Fan
Daniel-Fan approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Daniel-Fan Daniel-Fan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @YCShen1010
The changes look good to me!

@Daniel-Fan Daniel-Fan merged commit e9c9c08 into IBM:master Mar 26, 2026
1 check passed
@YCShen1010 YCShen1010 deleted the kyverno branch March 26, 2026 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Daniel-Fan Daniel-Fan Daniel-Fan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@YCShen1010 @Daniel-Fan