Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for pod level securityContext #150

Merged
merged 4 commits into from
Sep 12, 2024
Merged

add support for pod level securityContext #150

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ad6299b
add support for pod level securityContext
manherna Sep 10, 2024
daac464
change values name to podSecurityContext
manherna Sep 12, 2024
0179bd8
add examples for new podSecurityContext
manherna Sep 12, 2024
2d217b7
add securityContext values to test_data
manherna Sep 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions examples/app/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,7 @@ spec:
name: init-container
resources: {}
nodeSelector: {{- toYaml .Values.myapp.nodeSelector | nindent 8 }}
securityContext:
runAsNonRoot: true
securityContext: {{- toYaml .Values.myapp.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: 10
volumes:
- configMap:
Expand Down
4 changes: 4 additions & 0 deletions examples/app/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ myapp:
nodeSelector:
region: east
type: user-node
podSecurityContext:
fsGroup: 20000
runAsNonRoot: true
runAsUser: 65532
arttor marked this conversation as resolved.
Show resolved Hide resolved
proxySidecar:
args:
- --secure-listen-address=0.0.0.0:8443
Expand Down
4 changes: 2 additions & 2 deletions examples/operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,8 @@ spec:
imagePullSecrets:
- name: {{ include "operator.fullname" . }}-secret-registry-credentials
nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
securityContext:
runAsNonRoot: true
securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
8 }}
serviceAccountName: {{ include "operator.fullname" . }}-controller-manager
terminationGracePeriodSeconds: 10
topologySpreadConstraints:
Expand Down
2 changes: 2 additions & 0 deletions examples/operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ controllerManager:
nodeSelector:
region: east
type: user-node
podSecurityContext:
runAsNonRoot: true
replicas: 1
serviceAccount:
annotations:
Expand Down
17 changes: 17 additions & 0 deletions pkg/processor/pod/pod.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,23 @@ func ProcessSpec(objName string, appMeta helmify.AppMetadata, spec corev1.PodSpe
if err != nil {
return nil, nil, err
}
if spec.SecurityContext != nil {
securityContextMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&spec.SecurityContext)
if err != nil {
return nil, nil, err
}
if len(securityContextMap) > 0 {
err = unstructured.SetNestedField(specMap, fmt.Sprintf(`{{- toYaml .Values.%[1]s.podSecurityContext | nindent 8 }}`, objName), "securityContext")
if err != nil {
return nil, nil, err
}

err = unstructured.SetNestedField(values, securityContextMap, objName, "podSecurityContext")
if err != nil {
return nil, nil, fmt.Errorf("%w: unable to set deployment value field", err)
}
}
}

// process nodeSelector if presented:
if spec.NodeSelector != nil {
Expand Down
67 changes: 67 additions & 0 deletions pkg/processor/pod/pod_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,33 @@ spec:
image: localhost:6001/my_project:latest
ports:
- containerPort: 80
`
strDeploymentWithPodSecurityContext = `
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: localhost:6001/my_project:latest
securityContext:
fsGroup: 20000
runAsGroup: 30000
runAsNonRoot: true
runAsUser: 65532

`
)

Expand Down Expand Up @@ -274,5 +301,45 @@ func Test_pod_Process(t *testing.T) {
},
}, tmpl)
})
t.Run("deployment with securityContext", func(t *testing.T) {
var deploy appsv1.Deployment
obj := internal.GenerateObj(strDeploymentWithPodSecurityContext)
err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, &deploy)
specMap, tmpl, err := ProcessSpec("nginx", &metadata.Service{}, deploy.Spec.Template.Spec)
assert.NoError(t, err)
assert.Equal(t, map[string]interface{}{
"containers": []interface{}{
map[string]interface{}{
"env": []interface{}{
map[string]interface{}{
"name": "KUBERNETES_CLUSTER_DOMAIN",
"value": "{{ quote .Values.kubernetesClusterDomain }}",
},
},
"image": "{{ .Values.nginx.nginx.image.repository }}:{{ .Values.nginx.nginx.image.tag | default .Chart.AppVersion }}",
"name": "nginx",
"resources": map[string]interface{}{},
},
},
"securityContext": "{{- toYaml .Values.nginx.podSecurityContext | nindent 8 }}",
}, specMap)

assert.Equal(t, helmify.Values{
"nginx": map[string]interface{}{
"podSecurityContext": map[string]interface{}{
"fsGroup": int64(20000),
"runAsGroup": int64(30000),
"runAsNonRoot": true,
"runAsUser": int64(65532),
},
"nginx": map[string]interface{}{
"image": map[string]interface{}{
"repository": "localhost:6001/my_project",
"tag": "latest",
},
},
},
}, tmpl)
})

}