Skip to content

feat: Add GKE CEL policy compliance for readOnlyRootFilesystem and em… #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JPurcell-Braintrust wants to merge 2 commits into
base: jeff/security-enhancements
Choose a base branch
from
Open

feat: Add GKE CEL policy compliance for readOnlyRootFilesystem and em… #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c7002c
feat: Add GKE CEL policy compliance for readOnlyRootFilesystem and em…
JPurcell-Braintrust Feb 10, 2026
6459710
Fix emptyDir to render as empty object when sizeLimit is unset
JPurcell-Braintrust Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions braintrust/templates/api-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,8 +137,12 @@ spec:
- name: NODE_EXTRA_CA_CERTS
value: "/etc/braintrust/tls/ca-bundle.pem"
{{- end }}
{{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
{{- if or .Values.api.tmpVolume.enabled (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
volumeMounts:
{{- if .Values.api.tmpVolume.enabled }}
- name: tmp-volume
mountPath: /tmp
{{- end }}
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
Expand All @@ -150,8 +154,17 @@ spec:
readOnly: true
{{- end }}
{{- end }}
{{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
{{- if or .Values.api.tmpVolume.enabled (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
volumes:
{{- if .Values.api.tmpVolume.enabled }}
- name: tmp-volume
emptyDir:
{{- if .Values.api.tmpVolume.sizeLimit }}
sizeLimit: {{ .Values.api.tmpVolume.sizeLimit | quote }}
Comment on lines +161 to +163
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Render emptyDir as an object when sizeLimit is unset

If api.tmpVolume.enabled is true and api.tmpVolume.sizeLimit is set to an empty value, this block renders emptyDir: without any fields, which becomes null instead of an object. Kubernetes treats that as no volume source, so the pod spec is rejected with a volume-type validation error. Please keep an explicit empty object fallback (for example emptyDir: {}) when no sizeLimit is provided; the same templating pattern is also used in the reader/writer deployments.

Useful? React with 👍 / 👎.

{{- else }}
{}
{{- end }}
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
projected:
Expand Down
12 changes: 11 additions & 1 deletion braintrust/templates/brainstore-reader-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ spec:
volumeMounts:
- name: cache-volume
mountPath: {{ .Values.brainstore.reader.cacheDir }}
- name: tmp-volume
mountPath: /tmp
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
Expand All @@ -165,8 +167,16 @@ spec:
requests:
storage: {{ required "brainstore.reader.volume.size must be set" .Values.brainstore.reader.volume.size | quote }}
{{- else }}
emptyDir: {}
emptyDir:
{{- if .Values.brainstore.reader.volume.sizeLimit }}
sizeLimit: {{ .Values.brainstore.reader.volume.sizeLimit | quote }}
{{- else }}
{}
{{- end }}
{{- end }}
- name: tmp-volume
emptyDir:
sizeLimit: "1Gi"
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
csi:
Expand Down
12 changes: 11 additions & 1 deletion braintrust/templates/brainstore-writer-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ spec:
volumeMounts:
- name: cache-volume
mountPath: {{ .Values.brainstore.writer.cacheDir }}
- name: tmp-volume
mountPath: /tmp
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
Expand All @@ -165,8 +167,16 @@ spec:
requests:
storage: {{ required "brainstore.writer.volume.size must be set" .Values.brainstore.writer.volume.size | quote }}
{{- else }}
emptyDir: {}
emptyDir:
{{- if .Values.brainstore.writer.volume.sizeLimit }}
sizeLimit: {{ .Values.brainstore.writer.volume.sizeLimit | quote }}
{{- else }}
{}
{{- end }}
{{- end }}
- name: tmp-volume
emptyDir:
sizeLimit: "1Gi"
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
csi:
Expand Down
44 changes: 29 additions & 15 deletions braintrust/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,17 @@ api:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# Optional: Container-level security context
# securityContext:
# capabilities:
# drop:
# - ALL
# Container-level security context (enabled for CEL policy compliance)
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# Temporary directory configuration (needed when readOnlyRootFilesystem is true)
tmpVolume:
enabled: true
sizeLimit: "1Gi"
# Allow running user generated code functions (e.g. scorers/tools)
allowCodeFunctionExecution: true
# Brainstore backfill configuration. These defaults are fine for most cases.
Expand Down Expand Up @@ -229,11 +235,13 @@ brainstore:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# Optional: Container-level security context
# securityContext:
# capabilities:
# drop:
# - ALL
# Container-level security context (enabled for CEL policy compliance)
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
cacheDir: "/mnt/tmp/brainstore"
objectStoreCacheMemoryLimit: "1Gi"
objectStoreCacheFileSize: "50Gi"
Expand All @@ -243,6 +251,8 @@ brainstore:
volume:
# Storage size for ephemeral storage requests (used with GKE Autopilot local SSDs)
size: ""
# EmptyDir sizeLimit (separate from ephemeral-storage requests, required for CEL policy compliance)
sizeLimit: "50Gi"
extraEnvVars: []
nodeSelector: {}
tolerations: []
Expand Down Expand Up @@ -275,11 +285,13 @@ brainstore:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# Optional: Container-level security context
# securityContext:
# capabilities:
# drop:
# - ALL
# Container-level security context (enabled for CEL policy compliance)
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
cacheDir: "/mnt/tmp/brainstore"
objectStoreCacheMemoryLimit: "1Gi"
objectStoreCacheFileSize: "50Gi"
Expand All @@ -290,6 +302,8 @@ brainstore:
# Storage size for ephemeral storage requests
# Used with GKE Autopilot local SSDs and Azure Container Storage CSI
size: ""
# EmptyDir sizeLimit (separate from ephemeral-storage requests, required for CEL policy compliance)
sizeLimit: "50Gi"
extraEnvVars: []
# Example:
# - name: MY_ENV_VAR
Expand Down