diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 4d99d1b..32aa6e4 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -137,8 +137,12 @@ spec: - name: NODE_EXTRA_CA_CERTS value: "/etc/braintrust/tls/ca-bundle.pem" {{- end }} - {{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }} + {{- if or .Values.api.tmpVolume.enabled (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }} volumeMounts: + {{- if .Values.api.tmpVolume.enabled }} + - name: tmp-volume + mountPath: /tmp + {{- end }} {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" @@ -150,8 +154,17 @@ spec: readOnly: true {{- end }} {{- end }} - {{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }} + {{- if or .Values.api.tmpVolume.enabled (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }} volumes: + {{- if .Values.api.tmpVolume.enabled }} + - name: tmp-volume + emptyDir: + {{- if .Values.api.tmpVolume.sizeLimit }} + sizeLimit: {{ .Values.api.tmpVolume.sizeLimit | quote }} + {{- else }} + {} + {{- end }} + {{- end }} {{- if .Values.customTLSCABundle }} - name: tls-ca projected: diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index e11ef25..9ef0a5a 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -142,6 +142,8 @@ spec: volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.reader.cacheDir }} + - name: tmp-volume + mountPath: /tmp {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" @@ -165,8 +167,16 @@ spec: requests: storage: {{ required "brainstore.reader.volume.size must be set" .Values.brainstore.reader.volume.size | quote }} {{- else }} - emptyDir: {} + emptyDir: + {{- if .Values.brainstore.reader.volume.sizeLimit }} + sizeLimit: {{ .Values.brainstore.reader.volume.sizeLimit | quote }} + {{- else }} + {} + {{- end }} {{- end }} + - name: tmp-volume + emptyDir: + sizeLimit: "1Gi" {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }} - name: secrets-store-inline csi: diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index fd2e66a..62bfb68 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -142,6 +142,8 @@ spec: volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.writer.cacheDir }} + - name: tmp-volume + mountPath: /tmp {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" @@ -165,8 +167,16 @@ spec: requests: storage: {{ required "brainstore.writer.volume.size must be set" .Values.brainstore.writer.volume.size | quote }} {{- else }} - emptyDir: {} + emptyDir: + {{- if .Values.brainstore.writer.volume.sizeLimit }} + sizeLimit: {{ .Values.brainstore.writer.volume.sizeLimit | quote }} + {{- else }} + {} + {{- end }} {{- end }} + - name: tmp-volume + emptyDir: + sizeLimit: "1Gi" {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }} - name: secrets-store-inline csi: diff --git a/braintrust/values.yaml b/braintrust/values.yaml index 1871595..b7b7446 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -115,11 +115,17 @@ api: # runAsUser: 1000 # runAsGroup: 1000 # fsGroup: 1000 - # Optional: Container-level security context - # securityContext: - # capabilities: - # drop: - # - ALL + # Container-level security context (enabled for CEL policy compliance) + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # Temporary directory configuration (needed when readOnlyRootFilesystem is true) + tmpVolume: + enabled: true + sizeLimit: "1Gi" # Allow running user generated code functions (e.g. scorers/tools) allowCodeFunctionExecution: true # Brainstore backfill configuration. These defaults are fine for most cases. @@ -229,11 +235,13 @@ brainstore: # runAsUser: 1000 # runAsGroup: 1000 # fsGroup: 1000 - # Optional: Container-level security context - # securityContext: - # capabilities: - # drop: - # - ALL + # Container-level security context (enabled for CEL policy compliance) + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL cacheDir: "/mnt/tmp/brainstore" objectStoreCacheMemoryLimit: "1Gi" objectStoreCacheFileSize: "50Gi" @@ -243,6 +251,8 @@ brainstore: volume: # Storage size for ephemeral storage requests (used with GKE Autopilot local SSDs) size: "" + # EmptyDir sizeLimit (separate from ephemeral-storage requests, required for CEL policy compliance) + sizeLimit: "50Gi" extraEnvVars: [] nodeSelector: {} tolerations: [] @@ -275,11 +285,13 @@ brainstore: # runAsUser: 1000 # runAsGroup: 1000 # fsGroup: 1000 - # Optional: Container-level security context - # securityContext: - # capabilities: - # drop: - # - ALL + # Container-level security context (enabled for CEL policy compliance) + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL cacheDir: "/mnt/tmp/brainstore" objectStoreCacheMemoryLimit: "1Gi" objectStoreCacheFileSize: "50Gi" @@ -290,6 +302,8 @@ brainstore: # Storage size for ephemeral storage requests # Used with GKE Autopilot local SSDs and Azure Container Storage CSI size: "" + # EmptyDir sizeLimit (separate from ephemeral-storage requests, required for CEL policy compliance) + sizeLimit: "50Gi" extraEnvVars: [] # Example: # - name: MY_ENV_VAR