From 11ee7f1710958dd6d331fd8d794750f25f3abb7e Mon Sep 17 00:00:00 2001 From: Anand Swaminathan Date: Thu, 18 Mar 2021 14:41:09 -0700 Subject: [PATCH] Unblock flyteplugins being pulled due to Security override (#235) * Pull in FlytePlugins for Security Context fix Signed-off-by: Anand Swaminathan --- go.mod | 2 +- go.sum | 6 ++-- pkg/apis/flyteworkflow/v1alpha1/iface.go | 1 + .../v1alpha1/mocks/ExecutableWorkflow.go | 34 ++++++++++++++++++ pkg/apis/flyteworkflow/v1alpha1/mocks/Meta.go | 34 ++++++++++++++++++ .../v1alpha1/mocks/MetaExtended.go | 34 ++++++++++++++++++ pkg/apis/flyteworkflow/v1alpha1/workflow.go | 13 +++++-- .../v1alpha1/zz_generated.deepcopy.go | 1 + .../executors/mocks/execution_context.go | 34 ++++++++++++++++++ .../mocks/immutable_execution_context.go | 35 +++++++++++++++++++ .../handler/mocks/node_execution_metadata.go | 32 +++++++++++++++++ .../nodes/handler/node_exec_context.go | 1 + pkg/controller/nodes/resolve_test.go | 4 +++ 13 files changed, 224 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 9002351bb..21eac55f1 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/benlaurie/objecthash v0.0.0-20180202135721-d1e3d6079fc1 github.com/fatih/color v1.10.0 github.com/flyteorg/flyteidl v0.18.20 - github.com/flyteorg/flyteplugins v0.5.32 + github.com/flyteorg/flyteplugins v0.5.35 github.com/flyteorg/flytestdlib v0.3.13 github.com/ghodss/yaml v1.0.0 github.com/go-redis/redis v6.15.7+incompatible diff --git a/go.sum b/go.sum index 543224836..fb8c58ce8 100644 --- a/go.sum +++ b/go.sum @@ -230,11 +230,11 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg= github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= -github.com/flyteorg/flyteidl v0.18.15/go.mod h1:b5Fq4Z8a5b0mF6pEwTd48ufvikUGVkWSjZiMT0ZtqKI= +github.com/flyteorg/flyteidl v0.18.17/go.mod h1:b5Fq4Z8a5b0mF6pEwTd48ufvikUGVkWSjZiMT0ZtqKI= github.com/flyteorg/flyteidl v0.18.20 h1:OGOb2FOHWL363Qp8uzbJeFbQBKYPT30+afv+8BnBlGs= github.com/flyteorg/flyteidl v0.18.20/go.mod h1:b5Fq4Z8a5b0mF6pEwTd48ufvikUGVkWSjZiMT0ZtqKI= -github.com/flyteorg/flyteplugins v0.5.32 h1:fXyHUZFtNt1yQIQehilSnpzKlOAkXkqqnwh9M696Dvw= -github.com/flyteorg/flyteplugins v0.5.32/go.mod h1:+qu3cAdUdyNXer+R9NcvEKsEWwhvKAqRObmuFBGOJ0s= +github.com/flyteorg/flyteplugins v0.5.35 h1:KEMOiA4B+lIxQ+l7FRHzVcPA234Td9+ursuJDm6I8dg= +github.com/flyteorg/flyteplugins v0.5.35/go.mod h1:CxerBGWWEmNYmPxSMHnwQEr9cc1Fbo/g5fcABazU6Jo= github.com/flyteorg/flytestdlib v0.3.13 h1:5ioA/q3ixlyqkFh5kDaHgmPyTP/AHtqq1K/TIbVLUzM= github.com/flyteorg/flytestdlib v0.3.13/go.mod h1:Tz8JCECAbX6VWGwFT6cmEQ+RJpZ/6L9pswu3fzWs220= github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk= diff --git a/pkg/apis/flyteworkflow/v1alpha1/iface.go b/pkg/apis/flyteworkflow/v1alpha1/iface.go index 392baff26..dea6a57bc 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/iface.go +++ b/pkg/apis/flyteworkflow/v1alpha1/iface.go @@ -434,6 +434,7 @@ type Meta interface { GetLabels() map[string]string GetName() string GetServiceAccountName() string + GetSecurityContext() core.SecurityContext IsInterruptible() bool GetEventVersion() EventVersion GetRawOutputDataConfig() RawOutputDataConfig diff --git a/pkg/apis/flyteworkflow/v1alpha1/mocks/ExecutableWorkflow.go b/pkg/apis/flyteworkflow/v1alpha1/mocks/ExecutableWorkflow.go index f9260463d..88593c007 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/mocks/ExecutableWorkflow.go +++ b/pkg/apis/flyteworkflow/v1alpha1/mocks/ExecutableWorkflow.go @@ -5,7 +5,9 @@ package mocks import ( context "context" + core "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core" mock "github.com/stretchr/testify/mock" + types "k8s.io/apimachinery/pkg/types" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -792,6 +794,38 @@ func (_m *ExecutableWorkflow) GetRawOutputDataConfig() v1alpha1.RawOutputDataCon return r0 } +type ExecutableWorkflow_GetSecurityContext struct { + *mock.Call +} + +func (_m ExecutableWorkflow_GetSecurityContext) Return(_a0 core.SecurityContext) *ExecutableWorkflow_GetSecurityContext { + return &ExecutableWorkflow_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *ExecutableWorkflow) OnGetSecurityContext() *ExecutableWorkflow_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &ExecutableWorkflow_GetSecurityContext{Call: c} +} + +func (_m *ExecutableWorkflow) OnGetSecurityContextMatch(matchers ...interface{}) *ExecutableWorkflow_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &ExecutableWorkflow_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *ExecutableWorkflow) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type ExecutableWorkflow_GetServiceAccountName struct { *mock.Call } diff --git a/pkg/apis/flyteworkflow/v1alpha1/mocks/Meta.go b/pkg/apis/flyteworkflow/v1alpha1/mocks/Meta.go index 524492db9..c2b2b72f7 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/mocks/Meta.go +++ b/pkg/apis/flyteworkflow/v1alpha1/mocks/Meta.go @@ -3,7 +3,9 @@ package mocks import ( + core "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core" mock "github.com/stretchr/testify/mock" + types "k8s.io/apimachinery/pkg/types" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -340,6 +342,38 @@ func (_m *Meta) GetRawOutputDataConfig() v1alpha1.RawOutputDataConfig { return r0 } +type Meta_GetSecurityContext struct { + *mock.Call +} + +func (_m Meta_GetSecurityContext) Return(_a0 core.SecurityContext) *Meta_GetSecurityContext { + return &Meta_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *Meta) OnGetSecurityContext() *Meta_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &Meta_GetSecurityContext{Call: c} +} + +func (_m *Meta) OnGetSecurityContextMatch(matchers ...interface{}) *Meta_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &Meta_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *Meta) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type Meta_GetServiceAccountName struct { *mock.Call } diff --git a/pkg/apis/flyteworkflow/v1alpha1/mocks/MetaExtended.go b/pkg/apis/flyteworkflow/v1alpha1/mocks/MetaExtended.go index 6017fc3af..cca89c09f 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/mocks/MetaExtended.go +++ b/pkg/apis/flyteworkflow/v1alpha1/mocks/MetaExtended.go @@ -3,7 +3,9 @@ package mocks import ( + core "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core" mock "github.com/stretchr/testify/mock" + types "k8s.io/apimachinery/pkg/types" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -408,6 +410,38 @@ func (_m *MetaExtended) GetRawOutputDataConfig() v1alpha1.RawOutputDataConfig { return r0 } +type MetaExtended_GetSecurityContext struct { + *mock.Call +} + +func (_m MetaExtended_GetSecurityContext) Return(_a0 core.SecurityContext) *MetaExtended_GetSecurityContext { + return &MetaExtended_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *MetaExtended) OnGetSecurityContext() *MetaExtended_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &MetaExtended_GetSecurityContext{Call: c} +} + +func (_m *MetaExtended) OnGetSecurityContextMatch(matchers ...interface{}) *MetaExtended_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &MetaExtended_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *MetaExtended) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type MetaExtended_GetServiceAccountName struct { *mock.Call } diff --git a/pkg/apis/flyteworkflow/v1alpha1/workflow.go b/pkg/apis/flyteworkflow/v1alpha1/workflow.go index 79251b709..9e7d580d1 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/workflow.go +++ b/pkg/apis/flyteworkflow/v1alpha1/workflow.go @@ -39,10 +39,13 @@ type FlyteWorkflow struct { NodeDefaults NodeDefaults `json:"node-defaults,omitempty"` // Specifies the time when the workflow has been accepted into the system. AcceptedAt *metav1.Time `json:"acceptedAt,omitempty"` - // ServiceAccountName is the name of the ServiceAccount to use to run this pod. - // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - // +optional + // [DEPRECATED] ServiceAccountName is the name of the ServiceAccount to use to run this pod. + // [DEPRECATED] More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + // [DEPRECATED] +optional ServiceAccountName string `json:"serviceAccountName,omitempty" protobuf:"bytes,8,opt,name=serviceAccountName"` + // Security context fields to define privilege and access control settings + // +optional + SecurityContext core.SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,12,rep,name=securityContext"` // Status is the only mutable section in the workflow. It holds all the execution information Status WorkflowStatus `json:"status,omitempty"` // RawOutputDataConfig defines the configurations to use for generating raw outputs (e.g. blobs, schemas). @@ -58,6 +61,10 @@ type FlyteWorkflow struct { DataReferenceConstructor storage.ReferenceConstructor `json:"-"` } +func (in *FlyteWorkflow) GetSecurityContext() core.SecurityContext { + return in.SecurityContext +} + func (in *FlyteWorkflow) GetEventVersion() EventVersion { if in.WorkflowMeta != nil { return in.WorkflowMeta.EventVersion diff --git a/pkg/apis/flyteworkflow/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/flyteworkflow/v1alpha1/zz_generated.deepcopy.go index 53da1d12d..0438cea07 100644 --- a/pkg/apis/flyteworkflow/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/flyteworkflow/v1alpha1/zz_generated.deepcopy.go @@ -234,6 +234,7 @@ func (in *FlyteWorkflow) DeepCopyInto(out *FlyteWorkflow) { in, out := &in.AcceptedAt, &out.AcceptedAt *out = (*in).DeepCopy() } + out.SecurityContext = in.SecurityContext in.Status.DeepCopyInto(&out.Status) in.RawOutputDataConfig.DeepCopyInto(&out.RawOutputDataConfig) in.ExecutionConfig.DeepCopyInto(&out.ExecutionConfig) diff --git a/pkg/controller/executors/mocks/execution_context.go b/pkg/controller/executors/mocks/execution_context.go index 8772a229b..76a62bed8 100644 --- a/pkg/controller/executors/mocks/execution_context.go +++ b/pkg/controller/executors/mocks/execution_context.go @@ -3,7 +3,9 @@ package mocks import ( + core "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core" executors "github.com/flyteorg/flytepropeller/pkg/controller/executors" + mock "github.com/stretchr/testify/mock" types "k8s.io/apimachinery/pkg/types" @@ -538,6 +540,38 @@ func (_m *ExecutionContext) GetRawOutputDataConfig() v1alpha1.RawOutputDataConfi return r0 } +type ExecutionContext_GetSecurityContext struct { + *mock.Call +} + +func (_m ExecutionContext_GetSecurityContext) Return(_a0 core.SecurityContext) *ExecutionContext_GetSecurityContext { + return &ExecutionContext_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *ExecutionContext) OnGetSecurityContext() *ExecutionContext_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &ExecutionContext_GetSecurityContext{Call: c} +} + +func (_m *ExecutionContext) OnGetSecurityContextMatch(matchers ...interface{}) *ExecutionContext_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &ExecutionContext_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *ExecutionContext) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type ExecutionContext_GetServiceAccountName struct { *mock.Call } diff --git a/pkg/controller/executors/mocks/immutable_execution_context.go b/pkg/controller/executors/mocks/immutable_execution_context.go index 14a8cd39b..fec05a4bc 100644 --- a/pkg/controller/executors/mocks/immutable_execution_context.go +++ b/pkg/controller/executors/mocks/immutable_execution_context.go @@ -3,7 +3,10 @@ package mocks import ( + core "github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/core" + mock "github.com/stretchr/testify/mock" + types "k8s.io/apimachinery/pkg/types" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -436,6 +439,38 @@ func (_m *ImmutableExecutionContext) GetRawOutputDataConfig() v1alpha1.RawOutput return r0 } +type ImmutableExecutionContext_GetSecurityContext struct { + *mock.Call +} + +func (_m ImmutableExecutionContext_GetSecurityContext) Return(_a0 core.SecurityContext) *ImmutableExecutionContext_GetSecurityContext { + return &ImmutableExecutionContext_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *ImmutableExecutionContext) OnGetSecurityContext() *ImmutableExecutionContext_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &ImmutableExecutionContext_GetSecurityContext{Call: c} +} + +func (_m *ImmutableExecutionContext) OnGetSecurityContextMatch(matchers ...interface{}) *ImmutableExecutionContext_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &ImmutableExecutionContext_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *ImmutableExecutionContext) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type ImmutableExecutionContext_GetServiceAccountName struct { *mock.Call } diff --git a/pkg/controller/nodes/handler/mocks/node_execution_metadata.go b/pkg/controller/nodes/handler/mocks/node_execution_metadata.go index 9d857d118..c6dcc65b7 100644 --- a/pkg/controller/nodes/handler/mocks/node_execution_metadata.go +++ b/pkg/controller/nodes/handler/mocks/node_execution_metadata.go @@ -247,6 +247,38 @@ func (_m *NodeExecutionMetadata) GetOwnerReference() v1.OwnerReference { return r0 } +type NodeExecutionMetadata_GetSecurityContext struct { + *mock.Call +} + +func (_m NodeExecutionMetadata_GetSecurityContext) Return(_a0 core.SecurityContext) *NodeExecutionMetadata_GetSecurityContext { + return &NodeExecutionMetadata_GetSecurityContext{Call: _m.Call.Return(_a0)} +} + +func (_m *NodeExecutionMetadata) OnGetSecurityContext() *NodeExecutionMetadata_GetSecurityContext { + c := _m.On("GetSecurityContext") + return &NodeExecutionMetadata_GetSecurityContext{Call: c} +} + +func (_m *NodeExecutionMetadata) OnGetSecurityContextMatch(matchers ...interface{}) *NodeExecutionMetadata_GetSecurityContext { + c := _m.On("GetSecurityContext", matchers...) + return &NodeExecutionMetadata_GetSecurityContext{Call: c} +} + +// GetSecurityContext provides a mock function with given fields: +func (_m *NodeExecutionMetadata) GetSecurityContext() core.SecurityContext { + ret := _m.Called() + + var r0 core.SecurityContext + if rf, ok := ret.Get(0).(func() core.SecurityContext); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(core.SecurityContext) + } + + return r0 +} + type NodeExecutionMetadata_IsInterruptible struct { *mock.Call } diff --git a/pkg/controller/nodes/handler/node_exec_context.go b/pkg/controller/nodes/handler/node_exec_context.go index a74ed3b84..a32c8c056 100644 --- a/pkg/controller/nodes/handler/node_exec_context.go +++ b/pkg/controller/nodes/handler/node_exec_context.go @@ -37,6 +37,7 @@ type NodeExecutionMetadata interface { GetLabels() map[string]string GetAnnotations() map[string]string GetK8sServiceAccount() string + GetSecurityContext() core.SecurityContext IsInterruptible() bool } diff --git a/pkg/controller/nodes/resolve_test.go b/pkg/controller/nodes/resolve_test.go index 35daed9d5..e541b1814 100644 --- a/pkg/controller/nodes/resolve_test.go +++ b/pkg/controller/nodes/resolve_test.go @@ -119,6 +119,10 @@ func (d *dummyBaseWorkflow) GetServiceAccountName() string { return "" } +func (d *dummyBaseWorkflow) GetSecurityContext() core.SecurityContext { + return core.SecurityContext{} +} + func (d *dummyBaseWorkflow) GetTask(id v1alpha1.TaskID) (v1alpha1.ExecutableTask, error) { return nil, nil }