Add permissions

docs/docs/100-Reference/01-command-line/acorn_app.md

@@ -19,6 +19,7 @@ acorn app
 ### Options
 
 ```
+  -a, --all             Include stopped apps
   -h, --help            help for app
   -o, --output string   Output format (json, yaml, {{gotemplate}})
   -q, --quiet           Output only names

docs/docs/100-Reference/01-command-line/acorn_dev.md

@@ -16,6 +16,7 @@ acorn dev [flags] DIRECTORY
 ### Options
 
 ```
+      --dangerous         Automatically approve all privileges requested by the application
   -d, --dns strings       Assign a friendly domain to a published container (format public:private) (ex: example.com:web)
   -f, --file string       Name of the dev file (default "DIRECTORY/acorn.cue")
   -h, --help              help for dev

docs/docs/100-Reference/01-command-line/acorn_dev_render.md

@@ -20,6 +20,7 @@ acorn dev render [flags] DIRECTORY
 ```
   -A, --all-namespaces      Namespace to work in
       --context string      Context to use in the kubeconfig file
+      --dangerous           Automatically approve all privileges requested by the application
   -d, --dns strings         Assign a friendly domain to a published container (format public:private) (ex: example.com:web)
   -f, --file string         Name of the dev file (default "DIRECTORY/acorn.cue")
       --kubeconfig string   Location of a kubeconfig file

docs/docs/100-Reference/01-command-line/acorn_run.md

@@ -12,6 +12,7 @@ acorn run [flags] IMAGE [deploy flags]
 ### Options
 
 ```
+      --dangerous         Automatically approve all privileges requested by the application
   -d, --dns strings       Assign a friendly domain to a published container (format public:private) (ex: example.com:web)
   -h, --help              help for run
   -i, --interactive       Stream logs/status in the foreground and stop on exit

docs/docs/100-Reference/01-command-line/acorn_update.md

@@ -12,6 +12,7 @@ acorn update [flags] APP_NAME [deploy flags]
 ### Options
 
 ```
+      --dangerous         Automatically approve all privileges requested by the application
   -d, --dns strings       Assign a friendly domain to a published container (format public:private) (ex: example.com:web)
   -h, --help              help for update
       --image string      

generate.go

@@ -1,7 +1,7 @@
 //go:generate go run github.com/acorn-io/baaah/cmd/deepcopy ./pkg/apis/internal.acorn.io/v1/
 //go:generate go run github.com/acorn-io/baaah/cmd/deepcopy ./pkg/apis/api.acorn.io/v1/
 //go:generate go run github.com/acorn-io/baaah/cmd/deepcopy ./pkg/apis/ui.acorn.io/v1/
-//go:generate go run k8s.io/kube-openapi/cmd/openapi-gen -i github.com/acorn-io/acorn/pkg/apis/internal.acorn.io/v1,github.com/acorn-io/acorn/pkg/apis/api.acorn.io/v1,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/apimachinery/pkg/version,k8s.io/apimachinery/pkg/api/resource,k8s.io/api/core/v1 -p ./pkg/openapi/generated -h tools/header.txt
+//go:generate go run k8s.io/kube-openapi/cmd/openapi-gen -i github.com/acorn-io/acorn/pkg/apis/internal.acorn.io/v1,github.com/acorn-io/acorn/pkg/apis/api.acorn.io/v1,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/apimachinery/pkg/version,k8s.io/apimachinery/pkg/api/resource,k8s.io/api/core/v1,k8s.io/api/rbac/v1 -p ./pkg/openapi/generated -h tools/header.txt
 //#go:generate go run k8s.io/code-generator/cmd/conversion-gen -i github.com/acorn-io/acorn/pkg/apis/api.acorn.io/v1 -p ./pkg/test/generated -h tools/header.txt
 
 package main

go.mod

@@ -16,7 +16,7 @@ replace (
 require (
 	cuelang.org/go v0.4.3
 	github.com/AlecAivazis/survey/v2 v2.3.5
-	github.com/acorn-io/baaah v0.0.0-20220627023500-fb2314473b8e
+	github.com/acorn-io/baaah v0.0.0-20220627212647-64d94b77b711
 	github.com/containerd/console v1.0.3
 	github.com/containerd/containerd v1.6.6
 	github.com/google/go-containerregistry v0.10.0

go.sum

@@ -192,8 +192,8 @@ github.com/acorn-io/apiserver v0.24.1-ot-1 h1:HPyswxxeEMq2gywsyQo+/fknhhl50SErvq
 github.com/acorn-io/apiserver v0.24.1-ot-1/go.mod h1:J41BYwfMMj7Mm6OfFX3mup3myklBebjEE5mfL6zm/Jg=
 github.com/acorn-io/apiserver-1 v0.0.0-20220608053213-0ffc3be57697 h1:zEzrL1ewSmEJSYdHamsxBO9JAf/z+xBC9mSq0oH6jkA=
 github.com/acorn-io/apiserver-1 v0.0.0-20220608053213-0ffc3be57697/go.mod h1:sG6OmZ4yEWeQ9JmGjnp8WgQAk9D9z4hivMFsUUh9QF8=
-github.com/acorn-io/baaah v0.0.0-20220627023500-fb2314473b8e h1:rR0fwLnWYZaNuwI8D0rcGYfS84DpdyQPmWnrs0QY9Vo=
-github.com/acorn-io/baaah v0.0.0-20220627023500-fb2314473b8e/go.mod h1:CSj9RfR9Ab5LsLmdAcJlrMtyz0tD1kfqAKiLnbkXDg0=
+github.com/acorn-io/baaah v0.0.0-20220627212647-64d94b77b711 h1:BmjCjeLZJDPhqn/+Nv6D1GIZ/1xD3kcidCOpO5GbtVc=
+github.com/acorn-io/baaah v0.0.0-20220627212647-64d94b77b711/go.mod h1:CSj9RfR9Ab5LsLmdAcJlrMtyz0tD1kfqAKiLnbkXDg0=
 github.com/acorn-io/component-base v0.24.1-ot-1 h1:GRbiCcCxZdKovA1L8eLFIvI9pJp3kJFOtKTOW7LSsQI=
 github.com/acorn-io/component-base v0.24.1-ot-1/go.mod h1:GLGWZB2NbdO0JXuNHLQ4IOAYnugwAXGRNmYxnb2GeKw=
 github.com/acorn-io/etcd/server/v3 v3.5.1-ot-1 h1:MlyJCGYCmK9g7y3qjRQChBjDRLcjuHgxDG+BBM6+IVI=

pkg/apis/internal.acorn.io/v1/appinstance.go

@@ -48,6 +48,7 @@ type AppInstanceSpec struct {
 	PublishProtocols []Protocol        `json:"publishProtocols,omitempty"`
 	Ports            []PortBinding     `json:"ports,omitempty"`
 	DeployArgs       GenericMap        `json:"deployArgs,omitempty"`
+	Permissions      *Permissions      `json:"permissions,omitempty"`
 }
 
 func (in AppInstanceSpec) GetDevMode() bool {

pkg/apis/internal.acorn.io/v1/appspec.go

@@ -1,5 +1,7 @@
 package v1
 
+import rbacv1 "k8s.io/api/rbac/v1"
+
 const (
 	VolumeRequestTypeEphemeral = "ephemeral"
 
@@ -142,6 +144,25 @@ type Dependency struct {
 	TargetName string `json:"targetName,omitempty"`
 }
 
+type Permissions struct {
+	Rules        []rbacv1.PolicyRule `json:"rules,omitempty"`
+	ClusterRules []rbacv1.PolicyRule `json:"clusterRules,omitempty"`
+}
+
+func (in *Permissions) HasRules() bool {
+	if in == nil {
+		return false
+	}
+	return len(in.ClusterRules) > 0 || len(in.Rules) > 0
+}
+
+func (in *Permissions) Get() Permissions {
+	if in == nil {
+		return Permissions{}
+	}
+	return *in
+}
+
 type Container struct {
 	Dirs         map[string]VolumeMount `json:"dirs,omitempty"`
 	Files        map[string]File        `json:"files,omitempty"`
@@ -155,6 +176,7 @@ type Container struct {
 	Ports        []PortDef              `json:"ports,omitempty"`
 	Probes       []Probe                `json:"probes,omitempty"`
 	Dependencies []Dependency           `json:"dependencies,omitempty"`
+	Permissions  *Permissions           `json:"permissions,omitempty"`
 
 	// Scale is only available on containers, not sidecars or jobs
 	Scale *int32 `json:"scale,omitempty"`
@@ -187,13 +209,16 @@ type AppSpec struct {
 }
 
 type Acorn struct {
-	Image      string           `json:"image,omitempty"`
-	Build      *AcornBuild      `json:"build,omitempty"`
-	DeployArgs GenericMap       `json:"deployArgs,omitempty"`
-	Ports      []PortDef        `json:"ports,omitempty"`
-	Secrets    []SecretBinding  `json:"secrets,omitempty"`
-	Volumes    []VolumeBinding  `json:"volumes,omitempty"`
-	Services   []ServiceBinding `json:"services,omitempty"`
+	Image        string              `json:"image,omitempty"`
+	Build        *AcornBuild         `json:"build,omitempty"`
+	DeployArgs   GenericMap          `json:"deployArgs,omitempty"`
+	Ports        []PortDef           `json:"ports,omitempty"`
+	Secrets      []SecretBinding     `json:"secrets,omitempty"`
+	Volumes      []VolumeBinding     `json:"volumes,omitempty"`
+	Services     []ServiceBinding    `json:"services,omitempty"`
+	Roles        []rbacv1.PolicyRule `json:"roles,omitempty"`
+	ClusterRoles []rbacv1.PolicyRule `json:"clusterRoles,omitempty"`
+	Permissions  *Permissions        `json:"permissions,omitempty"`
 }
 
 type Secret struct {

pkg/appdefinition/appdefinition_test.go

@@ -1751,3 +1751,81 @@ profiles: foo: build: {}
 	_, _, err = def.WithDeployArgs(nil, []string{"missing"})
 	assert.Equal(t, "failed to find deploy profile missing", err.Error())
 }
+
+func TestPermissions(t *testing.T) {
+	acornCue := `
+localData: permissions: {
+  rules: [
+    {
+      verbs: ["verb"]
+      apiGroups: ["groups"]
+      resources: ["resources"]
+      resourceNames: ["names"]
+      nonResourceURLs: ["foo"]
+    }
+  ]
+  clusterRules: [
+    {
+      verbs: ["verb"]
+      apiGroups: ["groups"]
+      resources: ["resources"]
+      resourceNames: ["names"]
+      nonResourceURLs: ["foo"]
+    }
+  ]
+}
+
+containers: cont: {
+  permissions: localData.permissions
+  sidecars: side: permissions: localData.permissions
+}
+
+acorns: acorn: permissions: localData.permissions
+`
+
+	def, err := NewAppDefinition([]byte(acornCue))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	appSpec, err := def.AppSpec()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assert.Equal(t, "verb", appSpec.Containers["cont"].Permissions.Rules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Containers["cont"].Permissions.Rules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Containers["cont"].Permissions.Rules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Containers["cont"].Permissions.Rules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Containers["cont"].Permissions.Rules[0].NonResourceURLs[0])
+
+	assert.Equal(t, "verb", appSpec.Containers["cont"].Permissions.ClusterRules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Containers["cont"].Permissions.ClusterRules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Containers["cont"].Permissions.ClusterRules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Containers["cont"].Permissions.ClusterRules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Containers["cont"].Permissions.ClusterRules[0].NonResourceURLs[0])
+
+	assert.Equal(t, "verb", appSpec.Containers["cont"].Sidecars["side"].Permissions.Rules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Containers["cont"].Sidecars["side"].Permissions.Rules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Containers["cont"].Sidecars["side"].Permissions.Rules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Containers["cont"].Sidecars["side"].Permissions.Rules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Containers["cont"].Sidecars["side"].Permissions.Rules[0].NonResourceURLs[0])
+
+	assert.Equal(t, "verb", appSpec.Containers["cont"].Sidecars["side"].Permissions.ClusterRules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Containers["cont"].Sidecars["side"].Permissions.ClusterRules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Containers["cont"].Sidecars["side"].Permissions.ClusterRules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Containers["cont"].Sidecars["side"].Permissions.ClusterRules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Containers["cont"].Sidecars["side"].Permissions.ClusterRules[0].NonResourceURLs[0])
+
+	assert.Equal(t, "verb", appSpec.Acorns["acorn"].Permissions.Rules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Acorns["acorn"].Permissions.Rules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Acorns["acorn"].Permissions.Rules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Acorns["acorn"].Permissions.Rules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Acorns["acorn"].Permissions.Rules[0].NonResourceURLs[0])
+
+	assert.Equal(t, "verb", appSpec.Acorns["acorn"].Permissions.ClusterRules[0].Verbs[0])
+	assert.Equal(t, "groups", appSpec.Acorns["acorn"].Permissions.ClusterRules[0].APIGroups[0])
+	assert.Equal(t, "resources", appSpec.Acorns["acorn"].Permissions.ClusterRules[0].Resources[0])
+	assert.Equal(t, "names", appSpec.Acorns["acorn"].Permissions.ClusterRules[0].ResourceNames[0])
+	assert.Equal(t, "foo", appSpec.Acorns["acorn"].Permissions.ClusterRules[0].NonResourceURLs[0])
+}

pkg/cli/apps.go

@@ -21,6 +21,7 @@ acorn app`,
 }
 
 type App struct {
+	All    bool   `usage:"Include stopped apps" short:"a"`
 	Quiet  bool   `usage:"Output only names" short:"q"`
 	Output string `usage:"Output format (json, yaml, {{gotemplate}})" short:"o"`
 }
@@ -48,6 +49,9 @@ func (a *App) Run(cmd *cobra.Command, args []string) error {
 	}
 
 	for _, app := range apps {
+		if app.Status.Stopped && !a.All {
+			continue
+		}
 		if len(args) > 0 {
 			if slices.Contains(args, app.Name) {
 				out.Write(app)

pkg/cli/dev.go

@@ -49,6 +49,7 @@ func (s *Dev) Run(cmd *cobra.Command, args []string) error {
 			Cwd:      cwd,
 			Profiles: opts.Profiles,
 		},
-		Run: opts,
+		Run:       opts,
+		Dangerous: s.Dangerous,
 	})
 }

pkg/cli/info.go

@@ -7,6 +7,7 @@ import (
 	"github.com/acorn-io/acorn/pkg/client"
 	"github.com/acorn-io/acorn/pkg/tables"
 	"github.com/acorn-io/acorn/pkg/version"
+	bversion "github.com/acorn-io/baaah/pkg/version"
 	"github.com/spf13/cobra"
 )
 
@@ -26,7 +27,7 @@ type Info struct {
 
 type ClientServerVersion struct {
 	Client struct {
-		Version version.Version `json:"version,omitempty"`
+		Version bversion.Version `json:"version,omitempty"`
 	} `json:"client,omitempty"`
 	Server apiv1.InfoSpec `json:"server,omitempty"`
 }
@@ -45,7 +46,7 @@ func (s *Info) Run(cmd *cobra.Command, args []string) error {
 	out := table.NewWriter(tables.Info, "", false, s.Output)
 	out.Write(ClientServerVersion{
 		Client: struct {
-			Version version.Version `json:"version,omitempty"`
+			Version bversion.Version `json:"version,omitempty"`
 		}{Version: version.Get()},
 		Server: info.Spec,
 	})

pkg/cli/run.go

@@ -10,6 +10,7 @@ import (
 	"github.com/acorn-io/acorn/pkg/client"
 	"github.com/acorn-io/acorn/pkg/deployargs"
 	"github.com/acorn-io/acorn/pkg/dev"
+	"github.com/acorn-io/acorn/pkg/rulerequest"
 	"github.com/acorn-io/acorn/pkg/run"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -40,6 +41,7 @@ type RunArgs struct {
 	PublishAll bool     `usage:"Publish all exposed ports of application" short:"P"`
 	Publish    []string `usage:"Publish exposed port of application (format [public:]private) (ex 81:80)" short:"p"`
 	Profile    []string `usage:"Profile to assign default values"`
+	Dangerous  bool     `usage:"Automatically approve all privileges requested by the application"`
 }
 
 func (s RunArgs) ToOpts() (client.AppRunOptions, error) {
@@ -109,7 +111,7 @@ func (s *Run) Run(cmd *cobra.Command, args []string) error {
 
 	opts.DeployArgs = deployParams
 
-	app, err := c.AppRun(cmd.Context(), image, &opts)
+	app, err := rulerequest.PromptRun(cmd.Context(), c, s.Dangerous, image, opts)
 	if err != nil {
 		return err
 	}