diff --git a/api/lmes/v1alpha1/lmevaljob_types.go b/api/lmes/v1alpha1/lmevaljob_types.go index 8ee76807..b00cd52e 100644 --- a/api/lmes/v1alpha1/lmevaljob_types.go +++ b/api/lmes/v1alpha1/lmevaljob_types.go @@ -300,8 +300,17 @@ type LMEvalJobSpec struct { // Outputs specifies storage for evaluation results // +optional Outputs *Outputs `json:"outputs,omitempty"` - // Offline specifies settings for running LMEvalJobs in a offline mode + // Offline specifies settings for running LMEvalJobs in an offline mode + // +optional Offline *OfflineSpec `json:"offline,omitempty"` + // AllowOnly specifies whether the LMEvalJob can directly download remote code, datasets and metrics. Default is false. + // +optional + // +kubebuilder:default:=false + AllowOnline *bool `json:"allowOnline,omitempty"` + // AllowCodeExecution specifies whether the LMEvalJob can execute remote code. Default is false. + // +optional + // +kubebuilder:default:=false + AllowCodeExecution *bool `json:"allowCodeExecution,omitempty"` } // IsOffline returns whether this LMEvalJob is configured to run offline diff --git a/api/lmes/v1alpha1/zz_generated.deepcopy.go b/api/lmes/v1alpha1/zz_generated.deepcopy.go index 994ed95e..ea3c9334 100644 --- a/api/lmes/v1alpha1/zz_generated.deepcopy.go +++ b/api/lmes/v1alpha1/zz_generated.deepcopy.go @@ -197,6 +197,16 @@ func (in *LMEvalJobSpec) DeepCopyInto(out *LMEvalJobSpec) { *out = new(OfflineSpec) **out = **in } + if in.AllowOnline != nil { + in, out := &in.AllowOnline, &out.AllowOnline + *out = new(bool) + **out = **in + } + if in.AllowCodeExecution != nil { + in, out := &in.AllowCodeExecution, &out.AllowCodeExecution + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LMEvalJobSpec. diff --git a/config/crd/bases/trustyai.opendatahub.io_lmevaljobs.yaml b/config/crd/bases/trustyai.opendatahub.io_lmevaljobs.yaml index 60d37804..1a48f951 100644 --- a/config/crd/bases/trustyai.opendatahub.io_lmevaljobs.yaml +++ b/config/crd/bases/trustyai.opendatahub.io_lmevaljobs.yaml @@ -43,6 +43,16 @@ spec: spec: description: LMEvalJobSpec defines the desired state of LMEvalJob properties: + allowCodeExecution: + default: false + description: AllowCodeExecution specifies whether the LMEvalJob can + execute remote code. Default is false. + type: boolean + allowOnline: + default: false + description: AllowOnly specifies whether the LMEvalJob can directly + download remote code, datasets and metrics. Default is false. + type: boolean batchSize: description: |- Batch size for the evaluation. This is used by the models that run and are loaded @@ -91,7 +101,7 @@ spec: type: integer offline: description: Offline specifies settings for running LMEvalJobs in - a offline mode + an offline mode properties: storage: description: OfflineStorageSpec defines the storage configuration diff --git a/controllers/lmes/lmevaljob_controller.go b/controllers/lmes/lmevaljob_controller.go index a189e2de..2d6f213e 100644 --- a/controllers/lmes/lmevaljob_controller.go +++ b/controllers/lmes/lmevaljob_controller.go @@ -647,9 +647,23 @@ func CreatePod(svcOpts *serviceOptions, job *lmesv1alpha1.LMEvalJob, log logr.Lo volumes = append(volumes, outputPVC) } - // If the job is supposed to run offline, set the appropriate HuggingFace offline flags - if job.Spec.IsOffline() { + // Disable remote code execution by default + if job.Spec.AllowCodeExecution == nil || *job.Spec.AllowCodeExecution == false { + remoteCodeEnvVars := []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + } + envVars = append(envVars, remoteCodeEnvVars...) + } + // Enforce offline mode by default + if job.Spec.AllowOnline == nil || *job.Spec.AllowOnline == false { offlineHuggingFaceEnvVars := []corev1.EnvVar{ { Name: "HF_DATASETS_OFFLINE", @@ -659,8 +673,19 @@ func CreatePod(svcOpts *serviceOptions, job *lmesv1alpha1.LMEvalJob, log logr.Lo Name: "HF_HUB_OFFLINE", Value: "1", }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, } envVars = append(envVars, offlineHuggingFaceEnvVars...) + } + + if job.Spec.IsOffline() { // If the job is offline, a storage must be set. PVC is the only supported storage backend at the moment. offlinePVCMount := corev1.VolumeMount{ diff --git a/controllers/lmes/lmevaljob_controller_test.go b/controllers/lmes/lmevaljob_controller_test.go index 9a4faf58..2519e135 100644 --- a/controllers/lmes/lmevaljob_controller_test.go +++ b/controllers/lmes/lmevaljob_controller_test.go @@ -116,6 +116,32 @@ func Test_SimplePod(t *testing.T) { MountPath: "/opt/app-root/src/bin", }, }, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, }, }, SecurityContext: defaultPodSecurityContext, @@ -282,6 +308,7 @@ func Test_WithCustomPod(t *testing.T) { RunAsUser: &runAsUser, RunAsGroup: &runAsGroup, }, + VolumeMounts: []corev1.VolumeMount{ { Name: "shared", @@ -297,6 +324,32 @@ func Test_WithCustomPod(t *testing.T) { corev1.ResourceCPU: resource.MustParse("1"), }, }, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, }, { Name: "sidecar1", @@ -462,6 +515,30 @@ func Test_EnvSecretsPod(t *testing.T) { }, }, }, + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, }, Command: generateCmd(svcOpts, job), Args: generateArgs(svcOpts, job, log), @@ -591,6 +668,32 @@ func Test_FileSecretsPod(t *testing.T) { Command: generateCmd(svcOpts, job), Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, VolumeMounts: []corev1.VolumeMount{ { Name: "shared", @@ -1018,6 +1121,33 @@ func Test_ManagedPVC(t *testing.T) { Command: generateCmd(svcOpts, job), Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, + VolumeMounts: []corev1.VolumeMount{ { Name: "shared", @@ -1134,6 +1264,32 @@ func Test_ExistingPVC(t *testing.T) { Command: generateCmd(svcOpts, job), Args: generateArgs(svcOpts, job, log), SecurityContext: defaultSecurityContext, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, VolumeMounts: []corev1.VolumeMount{ { Name: "shared", @@ -1268,6 +1424,32 @@ func Test_PVCPreference(t *testing.T) { }, }, }, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, VolumeMounts: []corev1.VolumeMount{ { Name: "shared", @@ -1434,6 +1616,14 @@ func Test_OfflineMode(t *testing.T) { }, }, Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, { Name: "HF_DATASETS_OFFLINE", Value: "1", @@ -1442,6 +1632,14 @@ func Test_OfflineMode(t *testing.T) { Name: "HF_HUB_OFFLINE", Value: "1", }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -1485,8 +1683,8 @@ func Test_OfflineMode(t *testing.T) { assert.Equal(t, expect, newPod) } -// Test_OfflineModeWithOutput tests that if the offline mode is set the configuration is correct, even when custom output is set -func Test_OfflineModeWithOutput(t *testing.T) { +// Test_OnlineMode tests that if the online mode is set the configuration is correct +func Test_OnlineMode(t *testing.T) { log := log.FromContext(context.Background()) svcOpts := &serviceOptions{ PodImage: "podimage:latest", @@ -1494,9 +1692,9 @@ func Test_OfflineModeWithOutput(t *testing.T) { ImagePullPolicy: corev1.PullAlways, } + allowOnline := true jobName := "test" - offlinePvcName := "offline-pvc" - outputPvcName := "output-pvc" + pvcName := "my-pvc" var job = &lmesv1alpha1.LMEvalJob{ ObjectMeta: metav1.ObjectMeta{ Name: jobName, @@ -1517,12 +1715,10 @@ func Test_OfflineModeWithOutput(t *testing.T) { }, Offline: &lmesv1alpha1.OfflineSpec{ StorageSpec: lmesv1alpha1.OfflineStorageSpec{ - PersistentVolumeClaimName: offlinePvcName, + PersistentVolumeClaimName: pvcName, }, }, - Outputs: &lmesv1alpha1.Outputs{ - PersistentVolumeClaimName: &outputPvcName, - }, + AllowOnline: &allowOnline, }, } @@ -1587,11 +1783,479 @@ func Test_OfflineModeWithOutput(t *testing.T) { }, Env: []corev1.EnvVar{ { - Name: "HF_DATASETS_OFFLINE", - Value: "1", + Name: "TRUST_REMOTE_CODE", + Value: "0", }, { - Name: "HF_HUB_OFFLINE", + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + { + Name: "offline", + MountPath: "/opt/app-root/src/hf_home", + }, + }, + }, + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: &runAsNonRootUser, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "shared", VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "offline", VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: pvcName, + ReadOnly: false, + }, + }, + }, + }, + RestartPolicy: corev1.RestartPolicyNever, + }, + } + + newPod := CreatePod(svcOpts, job, log) + + assert.Equal(t, expect, newPod) +} + +// Test_AllowCodeOnlineMode tests that if the online mode and allow code is set the configuration is correct +func Test_AllowCodeOnlineMode(t *testing.T) { + log := log.FromContext(context.Background()) + svcOpts := &serviceOptions{ + PodImage: "podimage:latest", + DriverImage: "driver:latest", + ImagePullPolicy: corev1.PullAlways, + } + + jobName := "test" + pvcName := "my-pvc" + allowOnline := true + allowCode := true + var job = &lmesv1alpha1.LMEvalJob{ + ObjectMeta: metav1.ObjectMeta{ + Name: jobName, + Namespace: "default", + UID: "for-testing", + }, + TypeMeta: metav1.TypeMeta{ + Kind: lmesv1alpha1.KindName, + APIVersion: lmesv1alpha1.Version, + }, + Spec: lmesv1alpha1.LMEvalJobSpec{ + Model: "test", + ModelArgs: []lmesv1alpha1.Arg{ + {Name: "arg1", Value: "value1"}, + }, + TaskList: lmesv1alpha1.TaskList{ + TaskNames: []string{"task1", "task2"}, + }, + Offline: &lmesv1alpha1.OfflineSpec{ + StorageSpec: lmesv1alpha1.OfflineStorageSpec{ + PersistentVolumeClaimName: pvcName, + }, + }, + AllowOnline: &allowOnline, + AllowCodeExecution: &allowCode, + }, + } + + expect := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "default", + Labels: map[string]string{ + "app.kubernetes.io/name": "ta-lmes", + }, + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: lmesv1alpha1.Version, + Kind: lmesv1alpha1.KindName, + Name: "test", + Controller: &isController, + UID: "for-testing", + }, + }, + }, + TypeMeta: metav1.TypeMeta{ + Kind: "Pod", + APIVersion: "v1", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "driver", + Image: svcOpts.DriverImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: []string{DriverPath, "--copy", DestDriverPath}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + }, + }, + }, + Containers: []corev1.Container{ + { + Name: "main", + Image: svcOpts.PodImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: generateCmd(svcOpts, job), + Args: generateArgs(svcOpts, job, log), + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + { + Name: "offline", + MountPath: "/opt/app-root/src/hf_home", + }, + }, + }, + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: &runAsNonRootUser, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "shared", VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "offline", VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: pvcName, + ReadOnly: false, + }, + }, + }, + }, + RestartPolicy: corev1.RestartPolicyNever, + }, + } + + newPod := CreatePod(svcOpts, job, log) + + assert.Equal(t, expect, newPod) +} + +// Test_AllowCodeOfflineMode tests that if the online mode is set the configuration is correct +func Test_AllowCodeOfflineMode(t *testing.T) { + log := log.FromContext(context.Background()) + svcOpts := &serviceOptions{ + PodImage: "podimage:latest", + DriverImage: "driver:latest", + ImagePullPolicy: corev1.PullAlways, + } + + jobName := "test" + pvcName := "my-pvc" + allowCode := true + var job = &lmesv1alpha1.LMEvalJob{ + ObjectMeta: metav1.ObjectMeta{ + Name: jobName, + Namespace: "default", + UID: "for-testing", + }, + TypeMeta: metav1.TypeMeta{ + Kind: lmesv1alpha1.KindName, + APIVersion: lmesv1alpha1.Version, + }, + Spec: lmesv1alpha1.LMEvalJobSpec{ + Model: "test", + ModelArgs: []lmesv1alpha1.Arg{ + {Name: "arg1", Value: "value1"}, + }, + TaskList: lmesv1alpha1.TaskList{ + TaskNames: []string{"task1", "task2"}, + }, + Offline: &lmesv1alpha1.OfflineSpec{ + StorageSpec: lmesv1alpha1.OfflineStorageSpec{ + PersistentVolumeClaimName: pvcName, + }, + }, + AllowCodeExecution: &allowCode, + }, + } + + expect := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "default", + Labels: map[string]string{ + "app.kubernetes.io/name": "ta-lmes", + }, + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: lmesv1alpha1.Version, + Kind: lmesv1alpha1.KindName, + Name: "test", + Controller: &isController, + UID: "for-testing", + }, + }, + }, + TypeMeta: metav1.TypeMeta{ + Kind: "Pod", + APIVersion: "v1", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "driver", + Image: svcOpts.DriverImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: []string{DriverPath, "--copy", DestDriverPath}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + }, + }, + }, + Containers: []corev1.Container{ + { + Name: "main", + Image: svcOpts.PodImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: generateCmd(svcOpts, job), + Args: generateArgs(svcOpts, job, log), + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + Env: []corev1.EnvVar{ + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", + Value: "1", + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + { + Name: "offline", + MountPath: "/opt/app-root/src/hf_home", + }, + }, + }, + }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: &runAsNonRootUser, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, + Volumes: []corev1.Volume{ + { + Name: "shared", VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "offline", VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: pvcName, + ReadOnly: false, + }, + }, + }, + }, + RestartPolicy: corev1.RestartPolicyNever, + }, + } + + newPod := CreatePod(svcOpts, job, log) + + assert.Equal(t, expect, newPod) +} + +// Test_OfflineModeWithOutput tests that if the offline mode is set the configuration is correct, even when custom output is set +func Test_OfflineModeWithOutput(t *testing.T) { + log := log.FromContext(context.Background()) + svcOpts := &serviceOptions{ + PodImage: "podimage:latest", + DriverImage: "driver:latest", + ImagePullPolicy: corev1.PullAlways, + } + + jobName := "test" + offlinePvcName := "offline-pvc" + outputPvcName := "output-pvc" + var job = &lmesv1alpha1.LMEvalJob{ + ObjectMeta: metav1.ObjectMeta{ + Name: jobName, + Namespace: "default", + UID: "for-testing", + }, + TypeMeta: metav1.TypeMeta{ + Kind: lmesv1alpha1.KindName, + APIVersion: lmesv1alpha1.Version, + }, + Spec: lmesv1alpha1.LMEvalJobSpec{ + Model: "test", + ModelArgs: []lmesv1alpha1.Arg{ + {Name: "arg1", Value: "value1"}, + }, + TaskList: lmesv1alpha1.TaskList{ + TaskNames: []string{"task1", "task2"}, + }, + Offline: &lmesv1alpha1.OfflineSpec{ + StorageSpec: lmesv1alpha1.OfflineStorageSpec{ + PersistentVolumeClaimName: offlinePvcName, + }, + }, + Outputs: &lmesv1alpha1.Outputs{ + PersistentVolumeClaimName: &outputPvcName, + }, + }, + } + + expect := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + Namespace: "default", + Labels: map[string]string{ + "app.kubernetes.io/name": "ta-lmes", + }, + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: lmesv1alpha1.Version, + Kind: lmesv1alpha1.KindName, + Name: "test", + Controller: &isController, + UID: "for-testing", + }, + }, + }, + TypeMeta: metav1.TypeMeta{ + Kind: "Pod", + APIVersion: "v1", + }, + Spec: corev1.PodSpec{ + InitContainers: []corev1.Container{ + { + Name: "driver", + Image: svcOpts.DriverImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: []string{DriverPath, "--copy", DestDriverPath}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "shared", + MountPath: "/opt/app-root/src/bin", + }, + }, + }, + }, + Containers: []corev1.Container{ + { + Name: "main", + Image: svcOpts.PodImage, + ImagePullPolicy: svcOpts.ImagePullPolicy, + Command: generateCmd(svcOpts, job), + Args: generateArgs(svcOpts, job, log), + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, + Env: []corev1.EnvVar{ + { + Name: "TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_TRUST_REMOTE_CODE", + Value: "0", + }, + { + Name: "HF_DATASETS_OFFLINE", + Value: "1", + }, + { + Name: "HF_HUB_OFFLINE", + Value: "1", + }, + { + Name: "TRANSFORMERS_OFFLINE", + Value: "1", + }, + { + Name: "HF_EVALUATE_OFFLINE", Value: "1", }, },