Merge pull request #89 from sl1pm4t/fix-emptydir-runasuser

Fix runAsUser=0 and empty_dir missing
sl1pm4t · Oct 5, 2021 · 4f5fd47 · 4f5fd47
2 parents 8528ea5 + be0c138
commit 4f5fd47
Show file tree

Hide file tree

Showing 8 changed files with 110 additions and 4 deletions.
diff --git a/hcl_writer.go b/hcl_writer.go
@@ -205,7 +205,7 @@ func (w *ObjectWalker) closeBlock() *hclBlock {
 		w.dst.AppendBlock(current.hcl)
 
 	} else {
-		if current.hasValue || current.isRequired() {
+		if current.hasValue || tfkschema.IncludedOnZero(w.currentBlock.fieldName) || current.isRequired() {
 			if !includeUnsupported && current.unsupported {
 				// don't append this block or child blocks
 				w.warn().
@@ -351,7 +351,7 @@ func (w *ObjectWalker) Primitive(v reflect.Value) error {
 	if !w.ignoreSliceElems && v.CanAddr() && v.CanInterface() {
 		w.debug(fmt.Sprintf("Primitive: %s = %v (%T)", w.field().Name, v.Interface(), v.Interface()))
 
-		if !IsZero(v) {
+		if !IsZero(v) || tfkschema.IncludedOnZero(w.field().Name) {
 			w.currentBlock.hasValue = true
 			w.currentBlock.SetAttributeValue(
 				tfkschema.ToTerraformAttributeName(w.field(), w.currentBlock.FullSchemaName()),
@@ -363,7 +363,7 @@ func (w *ObjectWalker) Primitive(v reflect.Value) error {
 }
 
 // Map is called everytime reflectwalk enters a Map
-// Golang maps are usally output as HCL maps, but sometimes as sub-blocks.
+// Golang maps are usually output as HCL maps, but sometimes as sub-blocks.
 func (w *ObjectWalker) Map(m reflect.Value) error {
 	blockName := tfkschema.ToTerraformSubBlockName(w.field(), w.currentBlock.FullSchemaName())
 	hcl := hclwrite.NewBlock(blockName, nil)

diff --git a/hcl_writer_test.go b/hcl_writer_test.go
@@ -153,6 +153,11 @@ func TestWriteObject(t *testing.T) {
 			"kubernetes_storage_class",
 			0,
 		},
+		{
+			"replicationController",
+			"kubernetes_replication_controller",
+			0,
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/pkg/tfkschema/attr_overrides.go b/pkg/tfkschema/attr_overrides.go
@@ -0,0 +1,13 @@
+package tfkschema
+
+// IncludedOnZero checks the attribute name against a lookup table to determine if it can be included
+// when it is zero / empty.
+func IncludedOnZero(attrName string) bool {
+	switch attrName {
+	case "EmptyDir":
+		return true
+	case "RunAsUser":
+		return true
+	}
+	return false
+}
diff --git a/test-fixtures/deployment.tf.golden b/test-fixtures/deployment.tf.golden
@@ -74,6 +74,7 @@ resource "kubernetes_deployment" "backend_api" {
               add  = ["NET_BIND_SERVICE"]
               drop = ["ALL"]
             }
+            run_as_user = 0
           }
         }
         container {

diff --git a/test-fixtures/deployment.yaml b/test-fixtures/deployment.yaml
@@ -72,6 +72,7 @@ spec:
                 - ALL
               add:
                 - NET_BIND_SERVICE
+            runAsUser: 0
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:

diff --git a/test-fixtures/podNodeExporter.tf.golden b/test-fixtures/podNodeExporter.tf.golden
@@ -31,7 +31,8 @@ resource "kubernetes_pod" "node_exporter_7fth_7" {
       termination_message_policy = "File"
       image_pull_policy          = "Always"
       security_context {
-        privileged = true
+        privileged  = true
+        run_as_user = 0
       }
     }
     restart_policy                   = "Always"

diff --git a/test-fixtures/replicationController.tf.golden b/test-fixtures/replicationController.tf.golden
@@ -0,0 +1,85 @@
+resource "kubernetes_replication_controller" "es" {
+  metadata {
+    name   = "es"
+    labels = { component = "elasticsearch" }
+  }
+  spec {
+    replicas = 1
+    template {
+      metadata {
+        labels = { component = "elasticsearch" }
+      }
+      spec {
+        volume {
+          name = "storage"
+          empty_dir {
+          }
+        }
+        init_container {
+          name              = "init-sysctl"
+          image             = "busybox"
+          command           = ["sysctl", "-w", "vm.max_map_count=262144"]
+          image_pull_policy = "IfNotPresent"
+          security_context {
+            privileged = true
+          }
+        }
+        container {
+          name  = "es"
+          image = "quay.io/pires/docker-elasticsearch-kubernetes:5.6.2"
+          port {
+            name           = "http"
+            container_port = 9200
+            protocol       = "TCP"
+          }
+          port {
+            name           = "transport"
+            container_port = 9300
+            protocol       = "TCP"
+          }
+          env {
+            name  = "KUBERNETES_CA_CERTIFICATE_FILE"
+            value = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          }
+          env {
+            name = "NAMESPACE"
+            value_from {
+              field_ref {
+                field_path = "metadata.namespace"
+              }
+            }
+          }
+          env {
+            name  = "CLUSTER_NAME"
+            value = "myesdb"
+          }
+          env {
+            name  = "DISCOVERY_SERVICE"
+            value = "elasticsearch"
+          }
+          env {
+            name  = "NODE_MASTER"
+            value = "true"
+          }
+          env {
+            name  = "NODE_DATA"
+            value = "true"
+          }
+          env {
+            name  = "HTTP_ENABLE"
+            value = "true"
+          }
+          volume_mount {
+            name       = "storage"
+            mount_path = "/data"
+          }
+          security_context {
+            capabilities {
+              add = ["IPC_LOCK"]
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/test-fixtures/replicationController.yml → test-fixtures/replicationController.yaml b/test-fixtures/replicationController.yml → test-fixtures/replicationController.yaml