Skip to content

Instantly share code, notes, and snippets.

@bartoszmajsak

bartoszmajsak/enforce-non-root.sh

Created March 11, 2026 18:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bartoszmajsak/cced7a18e9f5d4946a71cf01a8fcbea2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bartoszmajsak/cced7a18e9f5d4946a71cf01a8fcbea2 to your computer and use it in GitHub Desktop.
Download ZIP
KRM exec function: enforce runAsNonRoot for LLMInferenceServiceConfig via kustomize transformer
Raw
enforce-non-root.sh
#!/usr/bin/env bash
# KRM exec function: sets securityContext.runAsNonRoot=true on every
# container and initContainer in LLMInferenceServiceConfig resources.
#
# Skips resources labeled opendatahub.io/config-type=accelerator
# (minimal overrides that inherit securityContext from the base template).
#
# Receives a ResourceList on stdin, emits modified ResourceList on stdout.
exec yq eval '
(.items[] |
select(.kind == "LLMInferenceServiceConfig") |
select(.metadata.labels["opendatahub.io/config-type"] != "accelerator") |
.. | select(has("containers")).containers[].securityContext.runAsNonRoot
) = true
|
(.items[] |
select(.kind == "LLMInferenceServiceConfig") |
select(.metadata.labels["opendatahub.io/config-type"] != "accelerator") |
.. | select(has("initContainers")).initContainers[].securityContext.runAsNonRoot
) = true
' -
Raw
enforce-non-root.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: enforce-non-root
annotations:
config.kubernetes.io/function: |
exec:
path: ./enforce-non-root.sh
Raw
gist-usage.md

kustomization.yaml

Add the transformer reference:

transformers:
- enforce-non-root.yaml

Invocation

Requires both flags with the standalone kustomize binary:

kustomize build config/overlays/odh --enable-alpha-plugins --enable-exec

kubectl kustomize --enable-alpha-plugins silently skips the exec function - use the standalone binary.

What it does

The enforce-non-root.sh KRM exec function receives the full ResourceList on stdin, uses yq's recursive descent (..) to find every object with a containers or initContainers array at any nesting depth within LLMInferenceServiceConfig resources, and sets securityContext.runAsNonRoot: true on each container. No path enumeration needed.

Resources labeled opendatahub.io/config-type=accelerator are skipped (they're minimal overrides that inherit securityContext from the base template).

Limitations

  • Requires yq (v4) at build time
  • Needs --enable-alpha-plugins --enable-exec flags
  • Does NOT work when kustomize is invoked programmatically as a Go library (e.g. from a controller using krusty.MakeKustomizer) - exec plugins aren't supported in that path
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment