Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Pod securityContext for target allocator #2500

Merged
merged 4 commits into from
Jan 11, 2024
Merged

Add Pod securityContext for target allocator #2500

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2b1a401
Add Pod securityContext for target allocator
husnialhamdani Nov 8, 2023
9ad50fb
Add Pod securityContext for target allocator
husnialhamdani Jan 10, 2024
4373d0a
Add Pod securityContext for target allocator
husnialhamdani Jan 10, 2024
3e50f22
Add Pod securityContext for target allocator
husnialhamdani Jan 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .chloggen/fix-ta-pod-security-context.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action)
component: target allocator

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Use Pod securityContext for target allocator

# One or more tracking issues related to the change
issues: [2495]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext: Bring back PodSecurityContext as it was removed in the previous changes.
4 changes: 4 additions & 0 deletions apis/v1alpha1/opentelemetrycollector_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,10 @@ type OpenTelemetryTargetAllocator struct {
// the targetallocator.
// +optional
SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`
// PodSecurityContext configures the pod security context for the
// targetallocator.
// +optional
PodSecurityContext *v1.PodSecurityContext `json:"podSecurityContext,omitempty"`
// TopologySpreadConstraints embedded kubernetes pod configuration option,
// controls how pods are spread across your cluster among failure-domains
// such as regions, zones, nodes, and other user-defined topology domains
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

128 changes: 128 additions & 0 deletions bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5198,6 +5198,134 @@ spec:
the eviction, i.e. even in the absence of the evicted pod.
x-kubernetes-int-or-string: true
type: object
podSecurityContext:
description: PodSecurityContext configures the pod security context
for the targetallocator.
properties:
fsGroup:
description: "A special supplemental group that applies to
all containers in a pod. Some volume types allow the Kubelet
to change the ownership of that volume to be owned by the
pod: \n 1."
format: int64
type: integer
fsGroupChangePolicy:
description: fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod.
type: string
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set
in SecurityContext.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in SecurityContext.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in
SecurityContext.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers
in this pod. Note that this field cannot be set when spec.os.name
is windows.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used. The profile must
be preconfigured on the node to work.
type: string
type:
description: "type indicates which kind of seccomp profile
will be applied. Valid options are: \n Localhost - a
profile defined in a file on the node should be used."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process
run in each container, in addition to the container's primary
GID, the fsGroup (if specified), and group memberships defined
in the container image for th
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod. Pods with unsupported sysctls (by the container
runtime) might fail to launch. Note that this field cannot
be set when spec.os.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all
containers. If unspecified, the options within a container's
SecurityContext will be used.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named
by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in
PodSecurityContext.
type: string
type: object
type: object
prometheusCR:
description: PrometheusCR defines the configuration for the retrieval
of PrometheusOperator CRDs ( servicemonitor.monitoring.coreos.com/v1
Expand Down
128 changes: 128 additions & 0 deletions config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5195,6 +5195,134 @@ spec:
the eviction, i.e. even in the absence of the evicted pod.
x-kubernetes-int-or-string: true
type: object
podSecurityContext:
description: PodSecurityContext configures the pod security context
for the targetallocator.
properties:
fsGroup:
description: "A special supplemental group that applies to
all containers in a pod. Some volume types allow the Kubelet
to change the ownership of that volume to be owned by the
pod: \n 1."
format: int64
type: integer
fsGroupChangePolicy:
description: fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod.
type: string
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set
in SecurityContext.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in SecurityContext.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in
SecurityContext.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers
in this pod. Note that this field cannot be set when spec.os.name
is windows.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used. The profile must
be preconfigured on the node to work.
type: string
type:
description: "type indicates which kind of seccomp profile
will be applied. Valid options are: \n Localhost - a
profile defined in a file on the node should be used."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process
run in each container, in addition to the container's primary
GID, the fsGroup (if specified), and group memberships defined
in the container image for th
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod. Pods with unsupported sysctls (by the container
runtime) might fail to launch. Note that this field cannot
be set when spec.os.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all
containers. If unspecified, the options within a container's
SecurityContext will be used.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named
by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in
PodSecurityContext.
type: string
type: object
type: object
prometheusCR:
description: PrometheusCR defines the configuration for the retrieval
of PrometheusOperator CRDs ( servicemonitor.monitoring.coreos.com/v1
Expand Down
1 change: 1 addition & 0 deletions internal/manifests/targetallocator/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ func Deployment(params manifests.Params) (*appsv1.Deployment, error) {
Tolerations: params.OtelCol.Spec.TargetAllocator.Tolerations,
TopologySpreadConstraints: params.OtelCol.Spec.TargetAllocator.TopologySpreadConstraints,
Affinity: params.OtelCol.Spec.TargetAllocator.Affinity,
SecurityContext: params.OtelCol.Spec.TargetAllocator.PodSecurityContext,
},
},
},
Expand Down
56 changes: 56 additions & 0 deletions internal/manifests/targetallocator/deployment_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,62 @@ var testAffinityValue = &v1.Affinity{
},
}

var runAsUser int64 = 1000
var runAsGroup int64 = 1000

var testSecurityContextValue = &v1.PodSecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &runAsGroup,
}

func TestDeploymentSecurityContext(t *testing.T) {
// Test default
otelcol1 := v1alpha1.OpenTelemetryCollector{
ObjectMeta: metav1.ObjectMeta{
Name: "my-instance",
},
}

cfg := config.New()

params1 := manifests.Params{
OtelCol: otelcol1,
Config: cfg,
Log: logger,
}
d1, err := Deployment(params1)
if err != nil {
t.Fatal(err)
}
assert.Empty(t, d1.Spec.Template.Spec.SecurityContext)

// Test SecurityContext
otelcol2 := v1alpha1.OpenTelemetryCollector{
ObjectMeta: metav1.ObjectMeta{
Name: "my-instance-securitycontext",
},
Spec: v1alpha1.OpenTelemetryCollectorSpec{
TargetAllocator: v1alpha1.OpenTelemetryTargetAllocator{
PodSecurityContext: testSecurityContextValue,
},
},
}

cfg = config.New()

params2 := manifests.Params{
OtelCol: otelcol2,
Config: cfg,
Log: logger,
}

d2, err := Deployment(params2)
if err != nil {
t.Fatal(err)
}
assert.Equal(t, *testSecurityContextValue, *d2.Spec.Template.Spec.SecurityContext)
}

func TestDeploymentNewDefault(t *testing.T) {
// prepare
otelcol := collectorInstance()
Expand Down
2 changes: 2 additions & 0 deletions tests/e2e/targetallocator-features/00-assert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ spec:
operator: In
values:
- "true"
securityContext:
runAsUser: 1000
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we assert the other properties here too?

      runAsGroup: 3000
      fsGroup: 2000

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

containers:
- name: ta-container
args:
Expand Down
Loading
Loading