From 641f8f8932e940127c0babdf52abc7e507f90133 Mon Sep 17 00:00:00 2001 From: Suraj Narwade Date: Wed, 2 Aug 2017 15:38:54 +0530 Subject: [PATCH] Added support for `group_add` key This PR will add support for `group_add` key which will map to supplemental group in pod security context. --- pkg/kobject/kobject.go | 1 + pkg/loader/compose/v1v2.go | 22 +++ pkg/transformer/kubernetes/k8sutils.go | 5 + pkg/transformer/kubernetes/kubernetes_test.go | 1 + script/test/cmd/tests.sh | 11 ++ .../envvars-separators/output-k8s.json | 8 +- script/test/fixtures/etherpad/output-os.json | 16 +-- .../group-add/docker-compose-fail.yml | 6 + .../fixtures/group-add/docker-compose.yml | 6 + .../test/fixtures/group-add/output-k8s.json | 73 ++++++++++ script/test/fixtures/group-add/output-os.json | 125 ++++++++++++++++++ .../output-k8s-restart-onfail.json | 1 - .../volumes-from/output-k8s-case.json | 16 +-- .../volumes-from/output-os-case.json | 16 +-- 14 files changed, 278 insertions(+), 29 deletions(-) create mode 100644 script/test/fixtures/group-add/docker-compose-fail.yml create mode 100644 script/test/fixtures/group-add/docker-compose.yml create mode 100644 script/test/fixtures/group-add/output-k8s.json create mode 100644 script/test/fixtures/group-add/output-os.json diff --git a/pkg/kobject/kobject.go b/pkg/kobject/kobject.go index f5f4ce9db..a61c50ba9 100644 --- a/pkg/kobject/kobject.go +++ b/pkg/kobject/kobject.go @@ -98,6 +98,7 @@ type ServiceConfig struct { TmpFs []string `compose:"tmpfs"` Dockerfile string `compose:"dockerfile"` Replicas int `compose:"replicas"` + GroupAdd []int64 `compose:"group_add"` // Volumes is a struct which contains all information about each volume Volumes []Volumes `compose:""` } diff --git a/pkg/loader/compose/v1v2.go b/pkg/loader/compose/v1v2.go index d45bbe909..9ae979cd5 100644 --- a/pkg/loader/compose/v1v2.go +++ b/pkg/loader/compose/v1v2.go @@ -264,6 +264,14 @@ func libComposeToKomposeMapping(composeObject *project.Project) (kobject.Kompose serviceConfig.MemLimit = composeServiceConfig.MemLimit serviceConfig.TmpFs = composeServiceConfig.Tmpfs serviceConfig.StopGracePeriod = composeServiceConfig.StopGracePeriod + + // Get GroupAdd, group should be mentioned in gid format but not the group name + groupAdd, err := getGroupAdd(composeServiceConfig.GroupAdd) + if err != nil { + return kobject.KomposeObject{}, errors.Wrap(err, "GroupAdd should be mentioned in gid format, not a group name") + } + serviceConfig.GroupAdd = groupAdd + komposeObject.ServiceConfigs[normalizeServiceNames(name)] = serviceConfig if normalizeServiceNames(name) != name { log.Infof("Service name in docker-compose has been changed from %q to %q", name, normalizeServiceNames(name)) @@ -390,3 +398,17 @@ func getVol(toFind kobject.Volumes, Vols []kobject.Volumes) (bool, kobject.Volum } return false, kobject.Volumes{} } + +// getGroupAdd will return group in int64 format +func getGroupAdd(group []string) ([]int64, error) { + var groupAdd []int64 + for _, i := range group { + j, err := strconv.Atoi(i) + if err != nil { + return nil, errors.Wrap(err, "unable to get group_add key") + } + groupAdd = append(groupAdd, int64(j)) + + } + return groupAdd, nil +} diff --git a/pkg/transformer/kubernetes/k8sutils.go b/pkg/transformer/kubernetes/k8sutils.go index 2ef5d8893..f9a1648c1 100644 --- a/pkg/transformer/kubernetes/k8sutils.go +++ b/pkg/transformer/kubernetes/k8sutils.go @@ -431,6 +431,11 @@ func (k *Kubernetes) UpdateKubernetesObjects(name string, service kobject.Servic } } + //set supplementalGroups + if service.GroupAdd != nil { + podSecurityContext.SupplementalGroups = service.GroupAdd + } + // Setup security context securityContext := &api.SecurityContext{} if service.Privileged { diff --git a/pkg/transformer/kubernetes/kubernetes_test.go b/pkg/transformer/kubernetes/kubernetes_test.go index 343bfdd59..2b31dea62 100644 --- a/pkg/transformer/kubernetes/kubernetes_test.go +++ b/pkg/transformer/kubernetes/kubernetes_test.go @@ -55,6 +55,7 @@ func newServiceConfig() kobject.ServiceConfig { TmpFs: []string{"/tmp"}, Replicas: 2, Volumes: []kobject.Volumes{{SvcName: "app", MountPath: "/tmp/volume", PVCName: "app-claim0"}}, + GroupAdd: []int64{1003, 1005}, } } diff --git a/script/test/cmd/tests.sh b/script/test/cmd/tests.sh index 8ca4efa0d..9e0c19996 100755 --- a/script/test/cmd/tests.sh +++ b/script/test/cmd/tests.sh @@ -174,6 +174,17 @@ convert::expect_success "kompose -f $KOMPOSE_ROOT/script/test/fixtures/tty-true/ # openshift test convert::expect_success "kompose --provider openshift -f $KOMPOSE_ROOT/script/test/fixtures/tty-true/docker-compose.yml convert --stdout -j" "$KOMPOSE_ROOT/script/test/fixtures/tty-true/output-oc.json" +# Test related to "group_add" in docker-compose +# kubernetes test +convert::expect_success "kompose -f $KOMPOSE_ROOT/script/test/fixtures/group-add/docker-compose.yml convert --stdout -j" "$KOMPOSE_ROOT/script/test/fixtures/group-add/output-k8s.json" +# openshift test +convert::expect_success "kompose --provider openshift -f $KOMPOSE_ROOT/script/test/fixtures/group-add/docker-compose.yml convert --stdout -j" "$KOMPOSE_ROOT/script/test/fixtures/group-add/output-os.json" + +# Test related to Failing "group_add" in docker-compose +# kubernetes test +convert::expect_failure "kompose -f $KOMPOSE_ROOT/script/test/fixtures/group-add/docker-compose-fail.yml convert --stdout -j" +# openshift test +convert::expect_failure "kompose --provider openshift -f $KOMPOSE_ROOT/script/test/fixtures/group-add/docker-compose-fail.yml convert --stdout -j" # Test related to kompose.expose.service label in docker compose file to ensure that services are exposed properly #kubernetes tests diff --git a/script/test/fixtures/envvars-separators/output-k8s.json b/script/test/fixtures/envvars-separators/output-k8s.json index 727b6dd86..9de9c2cd5 100644 --- a/script/test/fixtures/envvars-separators/output-k8s.json +++ b/script/test/fixtures/envvars-separators/output-k8s.json @@ -1047,6 +1047,10 @@ "name": "hygieia-udeploy", "image": "hygieia-udeploy-collector:latest", "env": [ + { + "name": "UDEPLOY_PASSWORD", + "value": "-s3cr3t" + }, { "name": "UDEPLOY_URL", "value": "-http://udeploy.company.com" @@ -1054,10 +1058,6 @@ { "name": "UDEPLOY_USERNAME", "value": "-bobama" - }, - { - "name": "UDEPLOY_PASSWORD", - "value": "-s3cr3t" } ], "resources": {}, diff --git a/script/test/fixtures/etherpad/output-os.json b/script/test/fixtures/etherpad/output-os.json index 6b0edf7e3..b41d0a46e 100644 --- a/script/test/fixtures/etherpad/output-os.json +++ b/script/test/fixtures/etherpad/output-os.json @@ -111,24 +111,24 @@ ], "env": [ { - "name": "DB_PASS", + "name": "DB_DBID", "value": "etherpad" }, { - "name": "DB_PORT", - "value": "3306" + "name": "DB_HOST", + "value": "mariadb" }, { - "name": "DB_USER", + "name": "DB_PASS", "value": "etherpad" }, { - "name": "DB_DBID", - "value": "etherpad" + "name": "DB_PORT", + "value": "3306" }, { - "name": "DB_HOST", - "value": "mariadb" + "name": "DB_USER", + "value": "etherpad" } ], "resources": {} diff --git a/script/test/fixtures/group-add/docker-compose-fail.yml b/script/test/fixtures/group-add/docker-compose-fail.yml new file mode 100644 index 000000000..dd3a51c63 --- /dev/null +++ b/script/test/fixtures/group-add/docker-compose-fail.yml @@ -0,0 +1,6 @@ +version: '2' +services: + myservice: + image: alpine + group_add: + - "mail" diff --git a/script/test/fixtures/group-add/docker-compose.yml b/script/test/fixtures/group-add/docker-compose.yml new file mode 100644 index 000000000..1231fbfc2 --- /dev/null +++ b/script/test/fixtures/group-add/docker-compose.yml @@ -0,0 +1,6 @@ +version: '2' +services: + myservice: + image: alpine + group_add: + - "1234" diff --git a/script/test/fixtures/group-add/output-k8s.json b/script/test/fixtures/group-add/output-k8s.json new file mode 100644 index 000000000..2646923ee --- /dev/null +++ b/script/test/fixtures/group-add/output-k8s.json @@ -0,0 +1,73 @@ +{ + "kind": "List", + "apiVersion": "v1", + "metadata": {}, + "items": [ + { + "kind": "Service", + "apiVersion": "v1", + "metadata": { + "name": "myservice", + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "ports": [ + { + "name": "headless", + "port": 55555, + "targetPort": 0 + } + ], + "selector": { + "io.kompose.service": "myservice" + }, + "clusterIP": "None" + }, + "status": { + "loadBalancer": {} + } + }, + { + "kind": "Deployment", + "apiVersion": "extensions/v1beta1", + "metadata": { + "name": "myservice", + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "replicas": 1, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "containers": [ + { + "name": "myservice", + "image": "alpine", + "resources": {} + } + ], + "restartPolicy": "Always", + "securityContext": { + "supplementalGroups": [ + 1234 + ] + } + } + }, + "strategy": {} + }, + "status": {} + } + ] +} diff --git a/script/test/fixtures/group-add/output-os.json b/script/test/fixtures/group-add/output-os.json new file mode 100644 index 000000000..e4e758015 --- /dev/null +++ b/script/test/fixtures/group-add/output-os.json @@ -0,0 +1,125 @@ +{ + "kind": "List", + "apiVersion": "v1", + "metadata": {}, + "items": [ + { + "kind": "Service", + "apiVersion": "v1", + "metadata": { + "name": "myservice", + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "ports": [ + { + "name": "headless", + "port": 55555, + "targetPort": 0 + } + ], + "selector": { + "io.kompose.service": "myservice" + }, + "clusterIP": "None" + }, + "status": { + "loadBalancer": {} + } + }, + { + "kind": "DeploymentConfig", + "apiVersion": "v1", + "metadata": { + "name": "myservice", + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "strategy": { + "resources": {} + }, + "triggers": [ + { + "type": "ConfigChange" + }, + { + "type": "ImageChange", + "imageChangeParams": { + "automatic": true, + "containerNames": [ + "myservice" + ], + "from": { + "kind": "ImageStreamTag", + "name": "myservice:latest" + } + } + } + ], + "replicas": 1, + "test": false, + "selector": { + "io.kompose.service": "myservice" + }, + "template": { + "metadata": { + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "containers": [ + { + "name": "myservice", + "image": " ", + "resources": {} + } + ], + "restartPolicy": "Always", + "securityContext": { + "supplementalGroups": [ + 1234 + ] + } + } + } + }, + "status": {} + }, + { + "kind": "ImageStream", + "apiVersion": "v1", + "metadata": { + "name": "myservice", + "creationTimestamp": null, + "labels": { + "io.kompose.service": "myservice" + } + }, + "spec": { + "tags": [ + { + "name": "latest", + "annotations": null, + "from": { + "kind": "DockerImage", + "name": "alpine" + }, + "generation": null, + "importPolicy": {} + } + ] + }, + "status": { + "dockerImageRepository": "" + } + } + ] +} diff --git a/script/test/fixtures/restart-options/output-k8s-restart-onfail.json b/script/test/fixtures/restart-options/output-k8s-restart-onfail.json index 5fa99de77..dc286df6d 100644 --- a/script/test/fixtures/restart-options/output-k8s-restart-onfail.json +++ b/script/test/fixtures/restart-options/output-k8s-restart-onfail.json @@ -33,4 +33,3 @@ } ] } - diff --git a/script/test/fixtures/volume-mounts/volumes-from/output-k8s-case.json b/script/test/fixtures/volume-mounts/volumes-from/output-k8s-case.json index bab8e3cd5..f8c78995f 100644 --- a/script/test/fixtures/volume-mounts/volumes-from/output-k8s-case.json +++ b/script/test/fixtures/volume-mounts/volumes-from/output-k8s-case.json @@ -106,15 +106,15 @@ "spec": { "volumes": [ { - "name": "bar-claim1", + "name": "foo-claim0", "persistentVolumeClaim": { - "claimName": "bar-claim1" + "claimName": "foo-claim0" } }, { - "name": "foo-claim0", + "name": "bar-claim1", "persistentVolumeClaim": { - "claimName": "foo-claim0" + "claimName": "bar-claim1" } }, { @@ -140,14 +140,14 @@ ], "resources": {}, "volumeMounts": [ - { - "name": "bar-claim1", - "mountPath": "/bar" - }, { "name": "foo-claim0", "mountPath": "/foo1" }, + { + "name": "bar-claim1", + "mountPath": "/bar" + }, { "name": "foo-claim1", "mountPath": "/foo2" diff --git a/script/test/fixtures/volume-mounts/volumes-from/output-os-case.json b/script/test/fixtures/volume-mounts/volumes-from/output-os-case.json index e01251d2f..eafb57284 100644 --- a/script/test/fixtures/volume-mounts/volumes-from/output-os-case.json +++ b/script/test/fixtures/volume-mounts/volumes-from/output-os-case.json @@ -132,15 +132,15 @@ "spec": { "volumes": [ { - "name": "bar-claim1", + "name": "foo-claim0", "persistentVolumeClaim": { - "claimName": "bar-claim1" + "claimName": "foo-claim0" } }, { - "name": "foo-claim0", + "name": "bar-claim1", "persistentVolumeClaim": { - "claimName": "foo-claim0" + "claimName": "bar-claim1" } }, { @@ -166,14 +166,14 @@ ], "resources": {}, "volumeMounts": [ - { - "name": "bar-claim1", - "mountPath": "/bar" - }, { "name": "foo-claim0", "mountPath": "/foo1" }, + { + "name": "bar-claim1", + "mountPath": "/bar" + }, { "name": "foo-claim1", "mountPath": "/foo2"