Synchronize kubeflow model registry manifests v0.2.14

[tarilabs]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

1. make script BSD/MacOSX compatible (e1dcefe)
2. update the manifests

• include this request to make sure to update the readme
• include this request to add securityContext

📦 Dependencies

none related

🐛 Related Issues

none related

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[juliusvonkohout]

I am wondering a bit why you split the securitycontext here compared to your other deployments, but in general its good.

[pboyd]

Hi @juliusvonkohout, can these be combined? I don't think they can be (except for perhaps a YAML anchor), but I don't especially like the duplication between them, so if you have a way I'd love to use it.

I see that PodSecurityContext settings are inherited by containers, but it doesn't include allowPrivledgeEscalation or capabilities. As far as I can tell, the only way to set those is on each container (SecurityContext), and this pod has two containers.

I could have moved runAsUser and runAsGroup up to the pod level, but it was only needed on the MLMD container, since the model registry image already used a non-root user.

[juliusvonkohout]

/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juliusvonkohout]

@tarilabs just check the comment and maybe follow up

/lgtm