Runnig neurodesk from Jupyterhub (K8s)

[xhejtman]

Hello,

I am trying to run neurodesk via jupyterhub on Kubernetes. The initial image works, however, I am unable to run any tool, at is seems it requires apptainer, nor suid or user namespaces are allowed in this instance of Kubernetes. Is there any way to use the neurodesk? Thanks.

[stebo85]

you need to enable capabilities needed for apptainer/singularity through Apparmor in Kubernetes:

AppArmor.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: apparmor
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: apparmor-profiles
  namespace: apparmor
data:
  # Filename singleuser maps to the definition of the singleuser profile.
  singleuser: |-
    profile singleuser flags=(attach_disconnected,mediate_deleted) {
      file,
      network,
      capability,
      umount, mount,
      signal (receive),
      signal (send) peer=singleuser,
      ptrace peer=singleuser,

      deny /proc/mem rwklx,
      deny /proc/kmem rwklx,
      deny /proc/kcore rwklx,
      deny /proc/sysrq-trigger rwklx,
      deny /proc/{*,**^[0-9*],sys/kernel/shm*} wkx,
      deny /sys/kernel/security/** rwklx,
      deny /sys/firmware/** rwklx,
      deny /sys/** wklx,
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: apparmor-loader
  # Namespace must match that of the ConfigMap.
  namespace: apparmor
  labels:
    daemon: apparmor-loader
spec:
  selector:
    matchLabels:
      daemon: apparmor-loader
  template:
    metadata:
      name: apparmor-loader
      labels:
        daemon: apparmor-loader
    spec:
      containers:
      - name: apparmor-loader
        image: google/apparmor-loader:latest
        args:
          # Tell the loader to pull the /profiles directory every 30 seconds.
          - -poll
          - 30s
          - /profiles
        securityContext:
          # The loader requires root permissions to actually load the profiles.
          privileged: true
        volumeMounts:
        - name: sys
          mountPath: /sys
          readOnly: true
        - name: profiles
          mountPath: /profiles
          readOnly: true
      volumes:
      # The /sys directory must be mounted to interact with the AppArmor module.
      - name: sys
        hostPath:
          path: /sys
      # Map in the profile data.
      - name: profiles
        configMap:
          name: apparmor-profiles

apply this:

kubectl apply -f AppArmor.yml

add container.apparmor.security.beta.kubernetes.io/notebook to the config.yaml of jupyterhub, e.g.::

  profileList:
    - display_name: "Default Environment"
      description: "Standard environment with up to 16 CPUs and up to 8 GB RAM."
      kubespawner_override:
        http_timeout: 120
        extra_container_config:
          securityContext:
            privileged: false
  extraAnnotations:
    container.apparmor.security.beta.kubernetes.io/notebook: localhost/singleuser