Skip to content

Commit 8f166a5

Browse files
Merge branch 'main' into fix-gcp
Co-authored-by: Cursor <cursoragent@cursor.com>
2 parents fcb8332 + 8e868b3 commit 8f166a5

59 files changed

Lines changed: 189 additions & 308 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

config/config_template.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -165,14 +165,14 @@
165165
#ceph:
166166
#storage_bucket: <BUCKET_NAME>
167167
#endpoint: <ENDPOINT_URL>
168-
#access_key: <ACCESS_KEY>
169-
#secret_key: <ACCESS_KEY>
170-
168+
#access_key_id: <ACCESS_KEY_ID>
169+
#secret_access_key: <SECRET_ACCESS_KEY>
170+
171171
#minio:
172172
#storage_bucket: <BUCKET_NAME>
173173
#endpoint: <ENDPOINT_URL>
174-
#access_key: <ACCESS_KEY>
175-
#secret_key: <ACCESS_KEY>
174+
#access_key_id: <ACCESS_KEY_ID>
175+
#secret_access_key: <SECRET_ACCESS_KEY>
176176

177177
#redis:
178178
#host: <ENDPOINT_URL>

docs/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM python:3.8-buster
1+
FROM python:3.10-slim-bookworm
22

33
RUN apt-get update \
44
&& apt-get install --no-install-recommends -y \

docs/source/compute_config/kubernetes.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,33 @@ k8s:
7676
|k8s | runtime_memory | 512 |no | Memory limit in MB. Default 512MB |
7777
|k8s | runtime_timeout | 600 |no | Runtime timeout in seconds. Default 600 seconds |
7878
|k8s | master_timeout | 600 |no | Master pod timeout in seconds. Default 600 seconds |
79+
|k8s | container_security_context | PSS Baseline (drop ALL caps, no privilege escalation, RuntimeDefault seccomp) | no | Mapping injected as the container `securityContext` on every Lithops pod. Set to `null` to disable. |
80+
|k8s | pod_security_context | | no | Mapping injected as the pod-level `securityContext`. Required for clusters enforcing Pod Security Standards Restricted (e.g. EGI Rancher, GKE Autopilot, OpenShift). Requires a non-root runtime image. |
81+
82+
## Running on Pod Security Standards Restricted clusters
83+
84+
Clusters enforcing the [Pod Security Standards "Restricted"](https://kubernetes.io/docs/concepts/security/pod-security-standards/) profile (Rancher with EGI policies, GKE Autopilot, OpenShift, AKS with Azure Policy, EKS with admission controllers) require pods to run as a non-root user with additional hardening. Set `pod_security_context` and use a runtime image that has a non-root `USER` directive:
85+
86+
```yaml
87+
k8s:
88+
runtime: <your_user>/<non_root_runtime>:<tag>
89+
pod_security_context:
90+
runAsNonRoot: true
91+
runAsUser: 1000
92+
runAsGroup: 1000
93+
fsGroup: 1000
94+
seccompProfile:
95+
type: RuntimeDefault
96+
container_security_context:
97+
allowPrivilegeEscalation: false
98+
readOnlyRootFilesystem: true
99+
capabilities:
100+
drop: ["ALL"]
101+
seccompProfile:
102+
type: RuntimeDefault
103+
```
104+
105+
Providing `container_security_context` fully replaces the defaults — copy the snippet above and adjust if you want to extend rather than override.
79106

80107
## Test Lithops
81108

lithops/serverless/backends/aliyun_fc/aliyun_fc.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,7 @@ def download_requirements():
108108
if docker_path:
109109
# Build the runtime in a docker
110110
cmd = 'python3 -m pip install -U -t . -r requirements.txt'
111-
cmd = f'docker run -w /tmp -v {build_dir}:/tmp python:{utils.CURRENT_PY_VERSION}-slim-buster {cmd}'
111+
cmd = f'docker run -w /tmp -v {build_dir}:/tmp python:{utils.CURRENT_PY_VERSION}-slim-bookworm {cmd}'
112112
utils.run_command(cmd)
113113
else:
114114
logger.warning('Aliyun Functions use a Linux environment. Building'

lithops/serverless/backends/aliyun_fc/config.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,6 @@
3333
BUILD_DIR = os.path.join(TEMP_DIR, 'AliyunRuntimeBuild')
3434

3535
AVAILABLE_PY_RUNTIMES = {
36-
'3.6': 'python3',
3736
'3.9': 'python3.9',
3837
'3.10': 'python3.10'
3938
}

lithops/serverless/backends/aws_batch/aws_batch.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ def _build_default_runtime(self, runtime_name):
117117
python_version = utils.version_str(sys.version_info)
118118
dockerfile = "Dockerfile.default-batch-runtime"
119119
with open(dockerfile, 'w') as f:
120-
f.write(f"FROM python:{python_version}-slim-buster\n")
120+
f.write(f"FROM python:{python_version}-slim-bookworm\n")
121121
f.write(batch_config.DOCKERFILE_DEFAULT)
122122
try:
123123
self.build_runtime(runtime_name, dockerfile)

lithops/serverless/backends/aws_lambda/config.py

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,6 @@
3232
]
3333

3434
AVAILABLE_PY_RUNTIMES = {
35-
'3.6': 'python3.6',
36-
'3.7': 'python3.7',
3735
'3.8': 'python3.8',
3836
'3.9': 'python3.9',
3937
'3.10': 'python3.10',

lithops/serverless/backends/azure_containers/azure_containers.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,7 @@ def _build_default_runtime(self, runtime_name):
9898
# Build default runtime using local dokcer
9999
dockerfile = "Dockefile.default-az-runtime"
100100
with open(dockerfile, 'w') as f:
101-
f.write(f"FROM python:{utils.CURRENT_PY_VERSION}-slim-buster\n")
101+
f.write(f"FROM python:{utils.CURRENT_PY_VERSION}-slim-bookworm\n")
102102
f.write(config.DEFAULT_DOCKERFILE)
103103
try:
104104
self.build_runtime(runtime_name, dockerfile)

lithops/serverless/backends/azure_functions/config.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
'trigger': 'pub/sub'
3636
}
3737

38-
AVAILABLE_PY_RUNTIMES = ['3.7', '3.8', '3.9', '3.10', '3.11']
38+
AVAILABLE_PY_RUNTIMES = ['3.8', '3.9', '3.10', '3.11']
3939

4040
REQUIRED_AZURE_STORAGE_PARAMS = ('storage_account_name', 'storage_account_key')
4141
REQUIRED_AZURE_FUNCTIONS_PARAMS = ('resource_group', 'region')

lithops/serverless/backends/code_engine/code_engine.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -284,7 +284,7 @@ def _build_default_runtime(self, default_runtime_img_name):
284284
# Build default runtime using local dokcer
285285
dockerfile = "Dockefile.default-ce-runtime"
286286
python_version = utils.CURRENT_PY_VERSION
287-
base_image = "slim-buster" if int(python_version.split('.')[1]) < 13 else "bookworm"
287+
base_image = "slim-bookworm"
288288
with open(dockerfile, 'w') as f:
289289
f.write(f"FROM python:{python_version}-{base_image}\n")
290290
f.write(config.DOCKERFILE_DEFAULT)

0 commit comments

Comments
 (0)