Skip to content

Commit

Permalink
Added simple Kubernetes security options
Browse files Browse the repository at this point in the history
  • Loading branch information
zc-devs committed Oct 8, 2023
1 parent cbd0c26 commit 3e9089f
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 24 deletions.
25 changes: 22 additions & 3 deletions pipeline/backend/kubernetes/pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@ func Pod(namespace string, step *types.Step, labels, annotations map[string]stri
log.Trace().Msgf("Tolerations that will be used in the backend options: %v", beTolerations)
}

securityContext := securityContext(step)

pod := &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
Expand All @@ -164,9 +166,7 @@ func Pod(namespace string, step *types.Step, labels, annotations map[string]stri
Env: mapToEnvVars(step.Environment),
VolumeMounts: volMounts,
Resources: resourceRequirements,
SecurityContext: &v1.SecurityContext{
Privileged: &step.Privileged,
},
SecurityContext: securityContext,
}},
ImagePullSecrets: []v1.LocalObjectReference{{Name: "regcred"}},
Volumes: vols,
Expand Down Expand Up @@ -194,3 +194,22 @@ func volumeMountPath(i string) string {
}
return s[0]
}

func securityContext(step *types.Step) *v1.SecurityContext {
sc := step.BackendOptions.Kubernetes.SecurityContext
log.Trace().Interface("Security context", sc).Msg("Security context that will be used for containers")

privileged := step.Privileged
if sc.Privileged != nil {
privileged = step.Privileged || *sc.Privileged
}

return &v1.SecurityContext{
Privileged: &privileged,
RunAsUser: sc.RunAsUser,
RunAsGroup: sc.RunAsGroup,
RunAsNonRoot: sc.RunAsNonRoot,
ReadOnlyRootFilesystem: sc.ReadOnlyRootFilesystem,
AllowPrivilegeEscalation: sc.AllowPrivilegeEscalation,
}
}
10 changes: 10 additions & 0 deletions pipeline/backend/types/backend_kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ type KubernetesBackendOptions struct {
ServiceAccountName string `json:"serviceAccountName,omitempty"`
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
Tolerations []Toleration `json:"tolerations,omitempty"`
SecurityContext SecurityContext `json:"securityContext,omitempty"`
}

// Resources defines two maps for kubernetes resource definitions
Expand Down Expand Up @@ -51,3 +52,12 @@ const (
TolerationOpExists TolerationOperator = "Exists"
TolerationOpEqual TolerationOperator = "Equal"
)

type SecurityContext struct {
Privileged *bool `json:"privileged,omitempty"`
RunAsUser *int64 `json:"runAsUser,omitempty"`
RunAsGroup *int64 `json:"runAsGroup,omitempty"`
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"`
}
58 changes: 37 additions & 21 deletions pipeline/frontend/yaml/compiler/convert.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,28 +116,9 @@ func (c *Compiler) createProcess(name string, container *yaml_types.Container, s
}
}

var tolerations []backend_types.Toleration
for _, t := range container.BackendOptions.Kubernetes.Tolerations {
tolerations = append(tolerations, backend_types.Toleration{
Key: t.Key,
Operator: backend_types.TolerationOperator(t.Operator),
Value: t.Value,
Effect: backend_types.TaintEffect(t.Effect),
TolerationSeconds: t.TolerationSeconds,
})
}

// Kubernetes advanced settings
// Advanced backend settings
backendOptions := backend_types.BackendOptions{
Kubernetes: backend_types.KubernetesBackendOptions{
Resources: backend_types.Resources{
Limits: container.BackendOptions.Kubernetes.Resources.Limits,
Requests: container.BackendOptions.Kubernetes.Resources.Requests,
},
ServiceAccountName: container.BackendOptions.Kubernetes.ServiceAccountName,
NodeSelector: container.BackendOptions.Kubernetes.NodeSelector,
Tolerations: tolerations,
},
Kubernetes: convertKubernetesBackendOptions(&container.BackendOptions.Kubernetes),
}

memSwapLimit := int64(container.MemSwapLimit)
Expand Down Expand Up @@ -217,3 +198,38 @@ func (c *Compiler) stepWorkdir(container *yaml_types.Container) string {
}
return filepath.Join(c.base, c.path, container.Directory)
}

func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOptions) backend_types.KubernetesBackendOptions {
resources := backend_types.Resources{
Limits: kubeOpt.Resources.Limits,
Requests: kubeOpt.Resources.Requests,
}

var tolerations []backend_types.Toleration
for _, t := range kubeOpt.Tolerations {
tolerations = append(tolerations, backend_types.Toleration{
Key: t.Key,
Operator: backend_types.TolerationOperator(t.Operator),
Value: t.Value,
Effect: backend_types.TaintEffect(t.Effect),
TolerationSeconds: t.TolerationSeconds,
})
}

securityContext := backend_types.SecurityContext{
Privileged: kubeOpt.SecurityContext.Privileged,
RunAsUser: kubeOpt.SecurityContext.RunAsUser,
RunAsGroup: kubeOpt.SecurityContext.RunAsGroup,
RunAsNonRoot: kubeOpt.SecurityContext.RunAsNonRoot,
ReadOnlyRootFilesystem: kubeOpt.SecurityContext.ReadOnlyRootFilesystem,
AllowPrivilegeEscalation: kubeOpt.SecurityContext.AllowPrivilegeEscalation,
}

return backend_types.KubernetesBackendOptions{
Resources: resources,
ServiceAccountName: kubeOpt.ServiceAccountName,
NodeSelector: kubeOpt.NodeSelector,
Tolerations: tolerations,
SecurityContext: securityContext,
}
}
10 changes: 10 additions & 0 deletions pipeline/frontend/yaml/types/backend_options.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ type KubernetesBackendOptions struct {
ServiceAccountName string `yaml:"serviceAccountName,omitempty"`
NodeSelector map[string]string `yaml:"nodeSelector,omitempty"`
Tolerations []Toleration `yaml:"tolerations,omitempty"`
SecurityContext SecurityContext `yaml:"securityContext,omitempty"`
}

type Resources struct {
Expand Down Expand Up @@ -53,3 +54,12 @@ const (
TolerationOpExists TolerationOperator = "Exists"
TolerationOpEqual TolerationOperator = "Equal"
)

type SecurityContext struct {
Privileged *bool `yaml:"privileged,omitempty"`
RunAsUser *int64 `yaml:"runAsUser,omitempty"`
RunAsGroup *int64 `yaml:"runAsGroup,omitempty"`
RunAsNonRoot *bool `yaml:"runAsNonRoot,omitempty"`
ReadOnlyRootFilesystem *bool `yaml:"readOnlyRootFilesystem,omitempty"`
AllowPrivilegeEscalation *bool `yaml:"allowPrivilegeEscalation,omitempty"`
}

0 comments on commit 3e9089f

Please sign in to comment.