Skip to content

Commit

Permalink
Support PodSecurityContext (#1463)
Browse files Browse the repository at this point in the history
  • Loading branch information
dtaniwaki authored and jessesuen committed Jul 10, 2019
1 parent e392d85 commit 6a59030
Show file tree
Hide file tree
Showing 6 changed files with 80 additions and 3 deletions.
8 changes: 8 additions & 0 deletions api/openapi-spec/swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -896,6 +896,10 @@
"description": "Script runs a portion of code against an interpreter",
"$ref": "#/definitions/io.argoproj.workflow.v1alpha1.ScriptTemplate"
},
"securityContext": {
"description": "SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.",
"$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext"
},
"serviceAccountName": {
"description": "ServiceAccountName to apply to workflow pods",
"type": "string"
Expand Down Expand Up @@ -1220,6 +1224,10 @@
"description": "Set scheduler name for all pods. Will be overridden if container/script template's scheduler name is set. Default scheduler will be used if neither specified.",
"type": "string"
},
"securityContext": {
"description": "SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.",
"$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext"
},
"serviceAccountName": {
"description": "ServiceAccountName is the name of the ServiceAccount to run all pods of the workflow as.",
"type": "string"
Expand Down
16 changes: 14 additions & 2 deletions pkg/apis/workflow/v1alpha1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions pkg/apis/workflow/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,11 @@ type WorkflowSpec struct {

// HostAliases is an optional list of hosts and IPs that will be injected into the pod spec
HostAliases []apiv1.HostAlias `json:"hostAliases,omitempty"`

// SecurityContext holds pod-level security attributes and common container settings.
// Optional: Defaults to empty. See type description for default values of each field.
// +optional
SecurityContext *apiv1.PodSecurityContext `json:"securityContext,omitempty"`
}

// Template is a reusable and composable unit of execution in a workflow
Expand Down Expand Up @@ -261,6 +266,11 @@ type Template struct {

// HostAliases is an optional list of hosts and IPs that will be injected into the pod spec
HostAliases []apiv1.HostAlias `json:"hostAliases,omitempty"`

// SecurityContext holds pod-level security attributes and common container settings.
// Optional: Defaults to empty. See type description for default values of each field.
// +optional
SecurityContext *apiv1.PodSecurityContext `json:"securityContext,omitempty"`
}

// Inputs are the mechanism for passing parameters, artifacts, volumes from one template to another
Expand Down
10 changes: 10 additions & 0 deletions pkg/apis/workflow/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions workflow/controller/workflowpod.go
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,12 @@ func addSchedulingConstraints(pod *apiv1.Pod, wfSpec *wfv1.WorkflowSpec, tmpl *w
pod.Spec.HostAliases = append(pod.Spec.HostAliases, wfSpec.HostAliases...)
pod.Spec.HostAliases = append(pod.Spec.HostAliases, tmpl.HostAliases...)

// set pod security context
if tmpl.SecurityContext != nil {
pod.Spec.SecurityContext = tmpl.SecurityContext
} else if wfSpec.SecurityContext != nil {
pod.Spec.SecurityContext = wfSpec.SecurityContext
}
}

// addVolumeReferences adds any volumeMounts that a container/sidecar is referencing, to the pod.spec.volumes
Expand Down
33 changes: 32 additions & 1 deletion workflow/controller/workflowpod_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ package controller
import (
"encoding/json"
"fmt"
"github.com/argoproj/argo/workflow/config"
"testing"

"github.com/argoproj/argo/workflow/config"

wfv1 "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1"
"github.com/argoproj/argo/workflow/common"
"github.com/ghodss/yaml"
Expand Down Expand Up @@ -656,3 +657,33 @@ func TestTmplLevelHostAliases(t *testing.T) {
assert.NotNil(t, pod.Spec.HostAliases)

}

// TestWFLevelSecurityContext verifies the ability to carry forward workflow level SecurityContext to Podspec
func TestWFLevelSecurityContext(t *testing.T) {
woc := newWoc()
runAsUser := int64(1234)
woc.wf.Spec.SecurityContext = &apiv1.PodSecurityContext{
RunAsUser: &runAsUser,
}
woc.executeContainer(woc.wf.Spec.Entrypoint, &woc.wf.Spec.Templates[0], "")
podName := getPodName(woc.wf)
pod, err := woc.controller.kubeclientset.CoreV1().Pods("").Get(podName, metav1.GetOptions{})
assert.Nil(t, err)
assert.NotNil(t, pod.Spec.SecurityContext)
assert.Equal(t, runAsUser, *pod.Spec.SecurityContext.RunAsUser)
}

// TestTmplLevelSecurityContext verifies the ability to carry forward template level SecurityContext to Podspec
func TestTmplLevelSecurityContext(t *testing.T) {
woc := newWoc()
runAsUser := int64(1234)
woc.wf.Spec.Templates[0].SecurityContext = &apiv1.PodSecurityContext{
RunAsUser: &runAsUser,
}
woc.executeContainer(woc.wf.Spec.Entrypoint, &woc.wf.Spec.Templates[0], "")
podName := getPodName(woc.wf)
pod, err := woc.controller.kubeclientset.CoreV1().Pods("").Get(podName, metav1.GetOptions{})
assert.Nil(t, err)
assert.NotNil(t, pod.Spec.SecurityContext)
assert.Equal(t, runAsUser, *pod.Spec.SecurityContext.RunAsUser)
}

0 comments on commit 6a59030

Please sign in to comment.