summaryrefslogtreecommitdiff
path: root/pkg/specgen/generate
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/specgen/generate')
-rw-r--r--pkg/specgen/generate/kube/kube.go38
1 files changed, 30 insertions, 8 deletions
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index c04b94d4e..04195d15a 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -133,6 +133,8 @@ type CtrSpecGenOptions struct {
// InitContainerType sets what type the init container is
// Note: When playing a kube yaml, the inti container type will be set to "always" only
InitContainerType string
+ // PodSecurityContext is the security context specified for the pod
+ PodSecurityContext *v1.PodSecurityContext
}
func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -188,7 +190,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
s.InitContainerType = opts.InitContainerType
- setupSecurityContext(s, opts.Container.SecurityContext)
+ setupSecurityContext(s, opts.Container.SecurityContext, opts.PodSecurityContext)
err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
if err != nil {
return nil, errors.Wrap(err, "Failed to configure livenessProbe")
@@ -531,10 +533,14 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32,
return &hc, nil
}
-func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext) {
+func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext, podSecurityContext *v1.PodSecurityContext) {
if securityContext == nil {
- return
+ securityContext = &v1.SecurityContext{}
}
+ if podSecurityContext == nil {
+ podSecurityContext = &v1.PodSecurityContext{}
+ }
+
if securityContext.ReadOnlyRootFilesystem != nil {
s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem
}
@@ -546,7 +552,11 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
}
- if seopt := securityContext.SELinuxOptions; seopt != nil {
+ seopt := securityContext.SELinuxOptions
+ if seopt == nil {
+ seopt = podSecurityContext.SELinuxOptions
+ }
+ if seopt != nil {
if seopt.User != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
}
@@ -568,14 +578,26 @@ func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.Security
s.CapDrop = append(s.CapDrop, string(capability))
}
}
- if securityContext.RunAsUser != nil {
- s.User = fmt.Sprintf("%d", *securityContext.RunAsUser)
+ runAsUser := securityContext.RunAsUser
+ if runAsUser == nil {
+ runAsUser = podSecurityContext.RunAsUser
+ }
+ if runAsUser != nil {
+ s.User = fmt.Sprintf("%d", *runAsUser)
}
- if securityContext.RunAsGroup != nil {
+
+ runAsGroup := securityContext.RunAsGroup
+ if runAsGroup == nil {
+ runAsGroup = podSecurityContext.RunAsGroup
+ }
+ if runAsGroup != nil {
if s.User == "" {
s.User = "0"
}
- s.User = fmt.Sprintf("%s:%d", s.User, *securityContext.RunAsGroup)
+ s.User = fmt.Sprintf("%s:%d", s.User, *runAsGroup)
+ }
+ for _, group := range podSecurityContext.SupplementalGroups {
+ s.Groups = append(s.Groups, fmt.Sprintf("%d", group))
}
}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-08 14:33:57 +0000