From 1bf66aae80dd3dfad30a16ff0fe2a9cb9e7a069f Mon Sep 17 00:00:00 2001
From: Serhii Koropets <33310880+koropets@users.noreply.github.com>
Date: Thu, 28 Apr 2022 11:08:46 +0300
Subject: [PATCH] Enable read_only_root_filesystem through DEPLOY_JOB_RO_FS env
 var (#222)

* SecurityContext.read_only_root_filesystem

* Add delimiter to resource_names

* DEPLOY_JOB_RO_FS
---
 src/deploy_job.rs | 26 ++++++++++++++++++++++----
 src/lib.rs        |  9 +++++++++
 src/utils.rs      |  5 +++--
 3 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/src/deploy_job.rs b/src/deploy_job.rs
index b349215..bdaab74 100644
--- a/src/deploy_job.rs
+++ b/src/deploy_job.rs
@@ -6,7 +6,7 @@ use crate::{
 use k8s_openapi::api::core::v1::{Container, EnvVar, PodSpec, PodTemplateSpec,
                                  ResourceRequirements};
 use k8s_openapi::api::batch::v1::{Job, JobSpec};
-use k8s_openapi::api::core::v1::SecurityContext;
+use k8s_openapi::api::core::v1::{SecurityContext, Volume, VolumeMount, EmptyDirVolumeSource};
 use k8s_openapi::apimachinery::pkg::api::resource::Quantity;
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta as OpenApiObjectMeta;
 use kube::api::ObjectMeta;
@@ -73,15 +73,33 @@ fn deploy_container(gordo: &Gordo, environment: Vec<EnvVar>, config: &Config) ->
     });
     let mut security_context = SecurityContext::default();
     security_context.run_as_non_root = Some(true);
-    security_context.read_only_root_filesystem = Some(true);
+    if config.deploy_job_ro_fs {
+        security_context.read_only_root_filesystem = Some(true);
+        container.volume_mounts = Some(vec![
+            VolumeMount {
+                name: "tmp".to_string(),
+                mount_path: "/tmp".to_string(),
+                ..VolumeMount::default()
+            }
+        ]);
+    }
     container.security_context = Some(security_context);
     container
 }
 
-fn deploy_pod_spec(containers: Vec<Container>) -> PodSpec {
+fn deploy_pod_spec(containers: Vec<Container>, config: &Config) -> PodSpec {
     let mut pod_spec = PodSpec::default();
     pod_spec.containers = containers;
     pod_spec.restart_policy = Some("Never".to_string());
+    if config.deploy_job_ro_fs {
+        pod_spec.volumes = Some(vec![
+            Volume {
+                name: "tmp".to_string(),
+                empty_dir: Some(EmptyDirVolumeSource::default()),
+                ..Volume::default()
+            }
+        ]);
+    }
     pod_spec
 }
 
@@ -183,7 +201,7 @@ pub fn create_deploy_job(gordo: &Gordo, config: &Config) -> Option<Job> {
     });
 
     let container = deploy_container(&gordo, environment, config);
-    let pod_spec = deploy_pod_spec(vec![container]);
+    let pod_spec = deploy_pod_spec(vec![container], config);
     let spec_metadata = deploy_pod_spec_metadata(&job_name, resources_labels);
 
     let mut metadata = ObjectMeta::default();
diff --git a/src/lib.rs b/src/lib.rs
index 739b055..13b77cd 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -42,6 +42,10 @@ fn default_server_host() -> String {
     String::from("0.0.0.0")
 }
 
+fn default_deploy_ro_fs() -> bool {
+    false
+}
+
 #[derive(Deserialize, Debug, Clone)]
 pub struct GordoEnvironmentConfig {
     pub deploy_image: String,
@@ -54,6 +58,8 @@ pub struct GordoEnvironmentConfig {
     pub docker_registry: String,
     pub default_deploy_environment: String,
     pub resources_labels: String,
+    #[serde(default="default_deploy_ro_fs")]
+    pub deploy_job_ro_fs: bool,
 }
 
 #[derive(Debug, Clone)]
@@ -65,6 +71,7 @@ pub struct Config {
     pub docker_registry: String,
     pub default_deploy_environment: Option<HashMap<String, String>>,
     pub resources_labels: Option<BTreeMap<String, String>>,
+    pub deploy_job_ro_fs: bool,
 }
 
 impl Config {
@@ -78,6 +85,7 @@ impl Config {
             server_port: env_config.server_port,
             server_host: env_config.server_host.clone(),
             docker_registry: env_config.docker_registry.clone(),
+            deploy_job_ro_fs: env_config.deploy_job_ro_fs,
             default_deploy_environment,
             resources_labels,
         })
@@ -115,6 +123,7 @@ impl Default for GordoEnvironmentConfig {
             docker_registry: "docker.io".to_owned(),
             default_deploy_environment: "".to_owned(),
             resources_labels: "".to_owned(),
+            deploy_job_ro_fs: false,
         }
     }
 }
diff --git a/src/utils.rs b/src/utils.rs
index f7dedc5..2d5e42f 100644
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -20,12 +20,13 @@ pub fn object_to_owner_reference<K: Resource<DynamicType = ()>>(
 }
 
 pub fn resource_names<T: Resource<DynamicType=()>>(resource: &Vec<T>) -> String {
-    resource.iter()
+    let vec: Vec<_> = resource.iter()
         .map(|resource| {
             let name = resource.meta().name.as_ref();
             format!("\"{}\"", name.unwrap_or(&"".to_string()))
         })
-        .collect()
+        .collect();
+    vec.join(", ")
 }
 
 pub fn plural_str(length: usize, word: &str) -> &str {