Skip to content

Commit

Permalink
feat: add securityContext/containerSecurityContext to minioJob (#2122)
Browse files Browse the repository at this point in the history 
feat: add securityContext to minioJob

add securityContext to minioJob
  • Loading branch information
@jiuker
jiuker authored May 15, 2024
1 parent c6d57c4 commit 7ae65b2
Show file tree
Hide file tree
Showing 7 changed files with 303 additions and 9 deletions.
127 changes: 126 additions & 1 deletion helm/operator/templates/job.min.io_jobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
operator.min.io/version: v5.0.15
name: miniojobs.job.min.io
spec:
Expand Down Expand Up @@ -55,6 +55,67 @@ spec:
- op
type: object
type: array
containerSecurityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
execution:
default: parallel
enum:
Expand All @@ -70,6 +131,70 @@ spec:
mcImage:
default: minio/mc:latest
type: string
securityContext:
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
serviceAccountName:
type: string
tenant:
Expand Down
2 changes: 1 addition & 1 deletion helm/operator/templates/minio.min.io_tenants.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
operator.min.io/version: v5.0.15
name: tenants.minio.min.io
spec:
Expand Down
28 changes: 28 additions & 0 deletions pkg/apis/job.min.io/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -97,6 +98,33 @@ type MinIOJobSpec struct {
// +optional
// +kubebuilder:default="minio/mc:latest"
MCImage string `json:"mcImage,omitempty"`

// *Optional* +
//
// Specify the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] of pods in the pool. The Operator supports only the following pod security fields: +
//
// * `fsGroup` +
//
// * `fsGroupChangePolicy` +
//
// * `runAsGroup` +
//
// * `runAsNonRoot` +
//
// * `runAsUser` +
//
// +optional
SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
// Specify the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] of containers in the pool. The Operator supports only the following container security fields: +
//
// * `runAsGroup` +
//
// * `runAsNonRoot` +
//
// * `runAsUser` +
//
// +optional
ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
}

// CommandSpec (`spec`) defines the configuration of a MinioClient Command.
Expand Down
8 changes: 4 additions & 4 deletions pkg/controller/job-controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,10 +219,6 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
globalIntervalJobStatus.Delete(fmt.Sprintf("%s/%s", jobCR.Namespace, jobCR.Name))
return WrapResult(Result{}, nil)
}
intervalJob, err := checkMinIOJob(&jobCR)
if err != nil {
return WrapResult(Result{}, err)
}
// get tenant
tenant := &miniov2.Tenant{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -258,6 +254,10 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
if !saFound {
return WrapResult(Result{}, fmt.Errorf("no serviceaccount found"))
}
intervalJob, err := checkMinIOJob(&jobCR)
if err != nil {
return WrapResult(Result{}, err)
}
err = intervalJob.CreateCommandJob(ctx, c.k8sClient)
if err != nil {
jobCR.Status.Phase = miniojob.MinioJobPhaseError
Expand Down
18 changes: 17 additions & 1 deletion pkg/utils/miniojob/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,23 @@ func (jobCommand *MinIOIntervalJobCommand) CreateJob(ctx context.Context, k8sCli
Value: "/var/run/secrets/kubernetes.io/serviceaccount/token",
},
},
Command: jobCommands,
Command: jobCommands,
SecurityContext: jobCR.Spec.ContainerSecurityContext,
VolumeMounts: []corev1.VolumeMount{
{
Name: "config-dir",
MountPath: "/.mc",
},
},
},
},
SecurityContext: jobCR.Spec.SecurityContext,
Volumes: []corev1.Volume{
{
Name: "config-dir",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
},
},
Expand Down
127 changes: 126 additions & 1 deletion resources/base/crds/job.min.io_miniojobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
operator.min.io/version: v5.0.15
name: miniojobs.job.min.io
spec:
Expand Down Expand Up @@ -55,6 +55,67 @@ spec:
- op
type: object
type: array
containerSecurityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
execution:
default: parallel
enum:
Expand All @@ -70,6 +131,70 @@ spec:
mcImage:
default: minio/mc:latest
type: string
securityContext:
properties:
fsGroup:
format: int64
type: integer
fsGroupChangePolicy:
type: string
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
supplementalGroups:
items:
format: int64
type: integer
type: array
sysctls:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
serviceAccountName:
type: string
tenant:
Expand Down
Loading

0 comments on commit 7ae65b2

Please sign in to comment.