Added Pod SC and moved some fields into it

woodpecker-ci · Oct 9, 2023 · caf8db3 · caf8db3
1 parent 343e774
commit caf8db3
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 36 deletions.
diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go
@@ -142,7 +142,10 @@ func Pod(namespace string, step *types.Step, labels, annotations map[string]stri
 		log.Trace().Msgf("Tolerations that will be used in the backend options: %v", beTolerations)
 	}
 
-	securityContext := securityContext(step)
+	beSecurityContext := step.BackendOptions.Kubernetes.SecurityContext
+	log.Trace().Interface("Security context", beSecurityContext).Msg("Security context that will be used for containers")
+	podSecCtx := podSecurityContext(beSecurityContext)
+	containerSecCtx := containerSecurityContext(beSecurityContext, step.Privileged)
 
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -157,6 +160,7 @@ func Pod(namespace string, step *types.Step, labels, annotations map[string]stri
 			NodeSelector:       nodeSelector,
 			Tolerations:        tolerations,
 			ServiceAccountName: serviceAccountName,
+			SecurityContext:    podSecCtx,
 			Containers: []v1.Container{{
 				Name:            podName,
 				Image:           step.Image,
@@ -167,7 +171,7 @@ func Pod(namespace string, step *types.Step, labels, annotations map[string]stri
 				Env:             mapToEnvVars(step.Environment),
 				VolumeMounts:    volMounts,
 				Resources:       resourceRequirements,
-				SecurityContext: securityContext,
+				SecurityContext: containerSecCtx,
 			}},
 			ImagePullSecrets: []v1.LocalObjectReference{{Name: "regcred"}},
 			Volumes:          vols,
@@ -196,21 +200,32 @@ func volumeMountPath(i string) string {
 	return s[0]
 }
 
-func securityContext(step *types.Step) *v1.SecurityContext {
-	sc := step.BackendOptions.Kubernetes.SecurityContext
-	log.Trace().Interface("Security context", sc).Msg("Security context that will be used for containers")
+func podSecurityContext(sc *types.SecurityContext) *v1.PodSecurityContext {
+	if sc != nil {
+		return &v1.PodSecurityContext{
+			RunAsUser:          sc.RunAsUser,
+			RunAsGroup:         sc.RunAsGroup,
+			RunAsNonRoot:       sc.RunAsNonRoot,
+			SupplementalGroups: sc.SupplementalGroups,
+			FSGroup:            sc.FSGroup,
+		}
+	}
+	return nil
+}
 
-	privileged := step.Privileged
-	if sc.Privileged != nil {
-		privileged = step.Privileged || *sc.Privileged
+func containerSecurityContext(sc *types.SecurityContext, privileged bool) *v1.SecurityContext {
+	containerSecCtx := &v1.SecurityContext{
+		Privileged: &privileged,
 	}
 
-	return &v1.SecurityContext{
-		Privileged:               &privileged,
-		RunAsUser:                sc.RunAsUser,
-		RunAsGroup:               sc.RunAsGroup,
-		RunAsNonRoot:             sc.RunAsNonRoot,
-		ReadOnlyRootFilesystem:   sc.ReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: sc.AllowPrivilegeEscalation,
+	if sc != nil {
+		if sc.Privileged != nil {
+			privileged = privileged || *sc.Privileged
+			containerSecCtx.Privileged = &privileged
+		}
+		containerSecCtx.ReadOnlyRootFilesystem = sc.ReadOnlyRootFilesystem
+		containerSecCtx.AllowPrivilegeEscalation = sc.AllowPrivilegeEscalation
 	}
+
+	return containerSecCtx
 }
diff --git a/pipeline/backend/types/backend_kubernetes.go b/pipeline/backend/types/backend_kubernetes.go
@@ -20,7 +20,7 @@ type KubernetesBackendOptions struct {
 	ServiceAccountName string            `json:"serviceAccountName,omitempty"`
 	NodeSelector       map[string]string `json:"nodeSelector,omitempty"`
 	Tolerations        []Toleration      `json:"tolerations,omitempty"`
-	SecurityContext    SecurityContext   `json:"securityContext,omitempty"`
+	SecurityContext    *SecurityContext  `json:"securityContext,omitempty"`
 }
 
 // Resources defines two maps for kubernetes resource definitions
@@ -54,10 +54,14 @@ const (
 )
 
 type SecurityContext struct {
-	Privileged               *bool  `json:"privileged,omitempty"`
-	RunAsUser                *int64 `json:"runAsUser,omitempty"`
-	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
-	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
-	ReadOnlyRootFilesystem   *bool  `json:"readOnlyRootFilesystem,omitempty"`
-	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
+	// Pod Security Context
+	RunAsUser          *int64  `json:"runAsUser,omitempty"`
+	RunAsGroup         *int64  `json:"runAsGroup,omitempty"`
+	RunAsNonRoot       *bool   `json:"runAsNonRoot,omitempty"`
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
+	FSGroup            *int64  `json:"fsGroup,omitempty"`
+	// Container Security Context
+	Privileged               *bool `json:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool `json:"readOnlyRootFilesystem,omitempty"`
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"`
 }
diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go
@@ -216,13 +216,18 @@ func convertKubernetesBackendOptions(kubeOpt *yaml_types.KubernetesBackendOption
 		})
 	}
 
-	securityContext := backend_types.SecurityContext{
-		Privileged:               kubeOpt.SecurityContext.Privileged,
-		RunAsUser:                kubeOpt.SecurityContext.RunAsUser,
-		RunAsGroup:               kubeOpt.SecurityContext.RunAsGroup,
-		RunAsNonRoot:             kubeOpt.SecurityContext.RunAsNonRoot,
-		ReadOnlyRootFilesystem:   kubeOpt.SecurityContext.ReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: kubeOpt.SecurityContext.AllowPrivilegeEscalation,
+	var securityContext *backend_types.SecurityContext
+	if kubeOpt.SecurityContext != nil {
+		securityContext = &backend_types.SecurityContext{
+			RunAsUser:                kubeOpt.SecurityContext.RunAsUser,
+			RunAsGroup:               kubeOpt.SecurityContext.RunAsGroup,
+			RunAsNonRoot:             kubeOpt.SecurityContext.RunAsNonRoot,
+			SupplementalGroups:       kubeOpt.SecurityContext.SupplementalGroups,
+			FSGroup:                  kubeOpt.SecurityContext.FSGroup,
+			Privileged:               kubeOpt.SecurityContext.Privileged,
+			ReadOnlyRootFilesystem:   kubeOpt.SecurityContext.ReadOnlyRootFilesystem,
+			AllowPrivilegeEscalation: kubeOpt.SecurityContext.AllowPrivilegeEscalation,
+		}
 	}
 
 	return backend_types.KubernetesBackendOptions{

diff --git a/pipeline/frontend/yaml/types/backend_options.go b/pipeline/frontend/yaml/types/backend_options.go
@@ -24,7 +24,7 @@ type KubernetesBackendOptions struct {
 	ServiceAccountName string            `yaml:"serviceAccountName,omitempty"`
 	NodeSelector       map[string]string `yaml:"nodeSelector,omitempty"`
 	Tolerations        []Toleration      `yaml:"tolerations,omitempty"`
-	SecurityContext    SecurityContext   `yaml:"securityContext,omitempty"`
+	SecurityContext    *SecurityContext  `yaml:"securityContext,omitempty"`
 }
 
 type Resources struct {
@@ -56,10 +56,14 @@ const (
 )
 
 type SecurityContext struct {
-	Privileged               *bool  `yaml:"privileged,omitempty"`
-	RunAsUser                *int64 `yaml:"runAsUser,omitempty"`
-	RunAsGroup               *int64 `yaml:"runAsGroup,omitempty"`
-	RunAsNonRoot             *bool  `yaml:"runAsNonRoot,omitempty"`
-	ReadOnlyRootFilesystem   *bool  `yaml:"readOnlyRootFilesystem,omitempty"`
-	AllowPrivilegeEscalation *bool  `yaml:"allowPrivilegeEscalation,omitempty"`
+	// Pod Security Context
+	RunAsUser          *int64  `yaml:"runAsUser,omitempty"`
+	RunAsGroup         *int64  `yaml:"runAsGroup,omitempty"`
+	RunAsNonRoot       *bool   `yaml:"runAsNonRoot,omitempty"`
+	SupplementalGroups []int64 `yaml:"supplementalGroups,omitempty"`
+	FSGroup            *int64  `yaml:"fsGroup,omitempty"`
+	// Container Security Context
+	Privileged               *bool `yaml:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool `yaml:"readOnlyRootFilesystem,omitempty"`
+	AllowPrivilegeEscalation *bool `yaml:"allowPrivilegeEscalation,omitempty"`
 }