Commit f5336492 authored by Craig Squire's avatar Craig Squire

Updates from MR feedback

parent 22699706
Pipeline #129342720 passed with stages
in 35 minutes and 58 seconds
......@@ -589,15 +589,6 @@ func (c *KubernetesConfig) GetPodSecurityContext() *api.PodSecurityContext {
func (c *KubernetesConfig) GetBuildContainerSecurityContext() *api.SecurityContext {
securityContext := c.BuildContainerSecurityContext
if securityContext.Privileged == nil &&
securityContext.RunAsGroup == nil &&
securityContext.RunAsNonRoot == nil &&
securityContext.RunAsUser == nil &&
securityContext.ReadOnlyRootFilesystem == nil &&
securityContext.AllowPrivilegeEscalation == nil {
return nil
}
return &api.SecurityContext{
Capabilities: c.getBuildContainerCapabilities(),
Privileged: c.getPrivilegedEffective(securityContext.Privileged),
......@@ -612,15 +603,6 @@ func (c *KubernetesConfig) GetBuildContainerSecurityContext() *api.SecurityConte
func (c *KubernetesConfig) GetServiceContainerSecurityContext() *api.SecurityContext {
securityContext := c.ServiceContainerSecurityContext
if securityContext.Privileged == nil &&
securityContext.RunAsGroup == nil &&
securityContext.RunAsNonRoot == nil &&
securityContext.RunAsUser == nil &&
securityContext.ReadOnlyRootFilesystem == nil &&
securityContext.AllowPrivilegeEscalation == nil {
return nil
}
return &api.SecurityContext{
Capabilities: c.getServiceContainerCapabilities(),
Privileged: c.getPrivilegedEffective(securityContext.Privileged),
......@@ -635,15 +617,6 @@ func (c *KubernetesConfig) GetServiceContainerSecurityContext() *api.SecurityCon
func (c *KubernetesConfig) GetHelperContainerSecurityContext() *api.SecurityContext {
securityContext := c.HelperContainerSecurityContext
if securityContext.Privileged == nil &&
securityContext.RunAsGroup == nil &&
securityContext.RunAsNonRoot == nil &&
securityContext.RunAsUser == nil &&
securityContext.ReadOnlyRootFilesystem == nil &&
securityContext.AllowPrivilegeEscalation == nil {
return nil
}
return &api.SecurityContext{
Capabilities: c.getHelperContainerCapabilities(),
Privileged: c.getPrivilegedEffective(securityContext.Privileged),
......
This diff is collapsed.
......@@ -121,6 +121,16 @@ type serviceCreateResponse struct {
err error
}
type containerOpts struct {
name string
image string
imageDefinition common.Image
requests api.ResourceList
limits api.ResourceList
securityContext *api.SecurityContext
command []string
}
func (s *executor) setupResources() error {
var err error
......@@ -449,44 +459,44 @@ func (s *executor) cleanupResources() {
}
}
func (s *executor) buildContainer(name, image string, imageDefinition common.Image, requests, limits api.ResourceList, securityContext *api.SecurityContext, containerCommand ...string) api.Container {
containerPorts := make([]api.ContainerPort, len(imageDefinition.Ports))
proxyPorts := make([]proxy.Port, len(imageDefinition.Ports))
func (s *executor) buildContainer(opts containerOpts) api.Container {
containerPorts := make([]api.ContainerPort, len(opts.imageDefinition.Ports))
proxyPorts := make([]proxy.Port, len(opts.imageDefinition.Ports))
for i, port := range imageDefinition.Ports {
for i, port := range opts.imageDefinition.Ports {
proxyPorts[i] = proxy.Port{Name: port.Name, Number: port.Number, Protocol: port.Protocol}
containerPorts[i] = api.ContainerPort{ContainerPort: int32(port.Number)}
}
if len(proxyPorts) > 0 {
serviceName := imageDefinition.Alias
serviceName := opts.imageDefinition.Alias
if serviceName == "" {
serviceName = name
if name != buildContainerName {
serviceName = fmt.Sprintf("proxy-%s", name)
serviceName = opts.name
if opts.name != buildContainerName {
serviceName = fmt.Sprintf("proxy-%s", opts.name)
}
}
s.ProxyPool[serviceName] = s.newProxy(serviceName, proxyPorts)
}
command, args := s.getCommandAndArgs(imageDefinition, containerCommand...)
command, args := s.getCommandAndArgs(opts.imageDefinition, opts.command...)
return api.Container{
Name: name,
Image: image,
Name: opts.name,
Image: opts.image,
ImagePullPolicy: api.PullPolicy(s.pullPolicy),
Command: command,
Args: args,
Env: buildVariables(s.Build.GetAllVariables().PublicOrInternal()),
Resources: api.ResourceRequirements{
Limits: limits,
Requests: requests,
Limits: opts.limits,
Requests: opts.requests,
},
Ports: containerPorts,
VolumeMounts: s.getVolumeMounts(),
SecurityContext: securityContext,
SecurityContext: opts.securityContext,
Stdin: true,
}
}
......@@ -815,19 +825,17 @@ func (s *executor) setupBuildPod() error {
services := make([]api.Container, len(s.options.Services))
for i, service := range s.options.Services {
resolvedImage := s.Build.GetAllVariables().ExpandValue(service.Name)
services[i] = s.buildContainer(fmt.Sprintf("svc-%d", i), resolvedImage, service, s.serviceRequests, s.serviceLimits, s.Config.Kubernetes.GetServiceContainerSecurityContext())
serviceContainerOpts := containerOpts{
name: fmt.Sprintf("svc-%d", i),
image: s.Build.GetAllVariables().ExpandValue(service.Name),
imageDefinition: service,
requests: s.serviceRequests,
limits: s.serviceLimits,
securityContext: s.Config.Kubernetes.GetServiceContainerSecurityContext(),
}
services[i] = s.buildContainer(serviceContainerOpts)
}
buildImage := s.Build.GetAllVariables().ExpandValue(s.options.Image.Name)
buildContainerSecurityContext := s.Config.Kubernetes.GetBuildContainerSecurityContext()
helperContainerSecurityContext := s.Config.Kubernetes.GetHelperContainerSecurityContext()
containers := append([]api.Container{
s.buildContainer(buildContainerName, buildImage, s.options.Image, s.buildRequests, s.buildLimits, buildContainerSecurityContext, s.BuildShell.DockerCommand...),
s.buildContainer(helperContainerName, s.getHelperImage(), common.Image{}, s.helperRequests, s.helperLimits, helperContainerSecurityContext, s.BuildShell.DockerCommand...),
}, services...)
// We set a default label to the pod. This label will be used later
// by the services, to link each service to the pod
labels := map[string]string{"pod": s.projectUniqueName()}
......@@ -854,7 +862,7 @@ func (s *executor) setupBuildPod() error {
return err
}
podConfig := s.preparePodConfig(labels, annotations, containers, imagePullSecrets, hostAlias)
podConfig := s.preparePodConfig(labels, annotations, services, imagePullSecrets, hostAlias)
s.Debugln("Creating build pod")
pod, err := s.kubeClient.CoreV1().Pods(s.configurationOverwrites.namespace).Create(&podConfig)
......@@ -871,7 +879,28 @@ func (s *executor) setupBuildPod() error {
return nil
}
func (s *executor) preparePodConfig(labels, annotations map[string]string, containers []api.Container, imagePullSecrets []api.LocalObjectReference, hostAlias *api.HostAlias) api.Pod {
func (s *executor) preparePodConfig(labels, annotations map[string]string, services []api.Container, imagePullSecrets []api.LocalObjectReference, hostAlias *api.HostAlias) api.Pod {
buildContainerOpts := containerOpts{
name: buildContainerName,
image: s.Build.GetAllVariables().ExpandValue(s.options.Image.Name),
imageDefinition: s.options.Image,
requests: s.buildRequests,
limits: s.buildLimits,
securityContext: s.Config.Kubernetes.GetBuildContainerSecurityContext(),
command: s.BuildShell.DockerCommand,
}
helperContainerOpts := containerOpts{
name: helperContainerName,
image: s.getHelperImage(),
imageDefinition: common.Image{},
requests: s.helperRequests,
limits: s.helperLimits,
securityContext: s.Config.Kubernetes.GetHelperContainerSecurityContext(),
command: s.BuildShell.DockerCommand,
}
pod := api.Pod{
ObjectMeta: metav1.ObjectMeta{
GenerateName: s.projectUniqueName(),
......@@ -880,12 +909,15 @@ func (s *executor) preparePodConfig(labels, annotations map[string]string, conta
Annotations: annotations,
},
Spec: api.PodSpec{
Volumes: s.getVolumes(),
ServiceAccountName: s.configurationOverwrites.serviceAccount,
RestartPolicy: api.RestartPolicyNever,
NodeSelector: s.Config.Kubernetes.NodeSelector,
Tolerations: s.Config.Kubernetes.GetNodeTolerations(),
Containers: containers,
Volumes: s.getVolumes(),
ServiceAccountName: s.configurationOverwrites.serviceAccount,
RestartPolicy: api.RestartPolicyNever,
NodeSelector: s.Config.Kubernetes.NodeSelector,
Tolerations: s.Config.Kubernetes.GetNodeTolerations(),
Containers: append([]api.Container{
s.buildContainer(buildContainerOpts),
s.buildContainer(helperContainerOpts),
}, services...),
TerminationGracePeriodSeconds: &s.Config.Kubernetes.TerminationGracePeriodSeconds,
ImagePullSecrets: imagePullSecrets,
SecurityContext: s.Config.Kubernetes.GetPodSecurityContext(),
......
......@@ -2947,23 +2947,38 @@ func setBuildFeatureFlag(build *common.Build, flag string, value bool) {
})
}
func TestBuildContainerSecurityContextNil(t *testing.T) {
executor := executor{
AbstractExecutor: executors.AbstractExecutor{
Build: &common.Build{},
Config: common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Kubernetes: &common.KubernetesConfig{},
},
func TestBuildContainerSecurityContext(t *testing.T) {
tests := map[string]struct {
getSecurityContext func() *api.SecurityContext
}{
"build security context": {
getSecurityContext: func() *api.SecurityContext {
runAsNonRoot := true
readOnlyRootFileSystem := true
privileged := false
allowPrivilageEscalation := false
var uid int64 = 1000
var gid int64 = 1000
return &api.SecurityContext{
RunAsNonRoot: &runAsNonRoot,
ReadOnlyRootFilesystem: &readOnlyRootFileSystem,
Privileged: &privileged,
AllowPrivilegeEscalation: &allowPrivilageEscalation,
RunAsUser: &uid,
RunAsGroup: &gid,
Capabilities: &api.Capabilities{
Drop: []api.Capability{"ALL"},
},
}
},
},
"no security context": {
getSecurityContext: func() *api.SecurityContext {
return nil
},
},
}
container := executor.buildContainer(buildContainerName, "", common.Image{}, api.ResourceList{}, api.ResourceList{}, nil)
assert.Nil(t, container.SecurityContext)
}
func TestBuildContainerSecurityContext(t *testing.T) {
executor := executor{
AbstractExecutor: executors.AbstractExecutor{
Build: &common.Build{},
......@@ -2975,25 +2990,20 @@ func TestBuildContainerSecurityContext(t *testing.T) {
},
}
runAsNonRoot := true
readOnlyRootFileSystem := true
privileged := false
allowPrivilageEscalation := false
var uid int64 = 1000
var gid int64 = 1000
sc := &api.SecurityContext{
RunAsNonRoot: &runAsNonRoot,
ReadOnlyRootFilesystem: &readOnlyRootFileSystem,
Privileged: &privileged,
AllowPrivilegeEscalation: &allowPrivilageEscalation,
RunAsUser: &uid,
RunAsGroup: &gid,
Capabilities: &api.Capabilities{
Drop: []api.Capability{"ALL"},
},
for tn, tt := range tests {
t.Run(tn, func(t *testing.T) {
opts := containerOpts{
name: buildContainerName,
image: "",
imageDefinition: common.Image{},
requests: api.ResourceList{},
limits: api.ResourceList{},
securityContext: tt.getSecurityContext(),
}
container := executor.buildContainer(opts)
assert.Equal(t, tt.getSecurityContext(), container.SecurityContext)
})
}
container := executor.buildContainer(buildContainerName, "", common.Image{}, api.ResourceList{}, api.ResourceList{}, sc)
assert.Equal(t, sc, container.SecurityContext)
}
type FakeReadCloser struct {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment