Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global floatingUserId #577

Merged
merged 1 commit into from
Aug 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
changelog:
- type: NEW_FEATURE
issueLink: https://github.com/solo-io/gloo/issues/5034
resolvesIssue: false
description: |
Adds the ability to render deployments templates with a reference global floatingUserId field. This field is used to globally unset
the runAsUser field in container securityContexts (like the painter's floatingUserId) and supresses the rendering of the
pod's securityContext. This feature is enabled by setting the GlobalFloatingUserIdPath in the Operator to the path of the global field,
and defaults to an empty string.
99 changes: 99 additions & 0 deletions codegen/cmd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2341,6 +2341,105 @@ roleRef:
}),
)

DescribeTable("rendering with GlobalFloatingUserId",
func(floatingUserId bool) {
cmd := &Command{
Chart: &Chart{
Operators: []Operator{
{
Name: "painter",
Deployment: Deployment{
Container: Container{
Image: Image{
Tag: "v0.0.0",
Repository: "painter",
Registry: "quay.io/solo-io",
PullPolicy: "IfNotPresent",
},
},
},
GlobalFloatingUserIdPath: ".Values.global.securitySettings.floatingUserId",
},
},
// Because the global override comes from .Values it has to be set here, not on the painter
Values: map[string]interface{}{
"global": map[string]interface{}{
"securitySettings": map[string]interface{}{
"floatingUserId": floatingUserId,
},
},
},
Data: Data{
ApiVersion: "v1",
Description: "",
Name: "Painting Operator",
Version: "v0.0.1",
Home: "https://docs.solo.io/skv2/latest",
Sources: []string{
"https://github.com/solo-io/skv2",
},
},
},

ManifestRoot: "codegen/test/chart",
}

err := cmd.Execute()
Expect(err).NotTo(HaveOccurred())

runAsUser := 202020
runAsGroup := 999
painterValues := map[string]interface{}{
"enabled": true,
"runAsUser": runAsUser,
"podSecurityContext": map[string]interface{}{
"runAsUser": runAsUser,
"fsGroup": runAsGroup,
},
}

helmValues := map[string]interface{}{"painter": painterValues}

renderedManifests := helmTemplate("./codegen/test/chart", helmValues)

var renderedDeployment *appsv1.Deployment
decoder := kubeyaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(renderedManifests), 4096)
for {
obj := &unstructured.Unstructured{}
err := decoder.Decode(obj)
if err != nil {
break
}
if obj.GetName() != "painter" || obj.GetKind() != "Deployment" {
continue
}

bytes, err := obj.MarshalJSON()
Expect(err).NotTo(HaveOccurred())
renderedDeployment = &appsv1.Deployment{}
err = json.Unmarshal(bytes, renderedDeployment)
Expect(err).NotTo(HaveOccurred())
}

Expect(renderedDeployment).NotTo(BeNil())
renderedRunAsUser := renderedDeployment.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser
renderedPodSecurityContext := renderedDeployment.Spec.Template.Spec.SecurityContext

// When using the global floatingUserId, the container runAsUser and RunAsUser should not be set
if floatingUserId {
Expect(renderedRunAsUser).To(BeNil())
Expect(renderedPodSecurityContext).To(BeNil())
} else {
Expect(*renderedRunAsUser).To(Equal(int64(runAsUser)))
Expect(*renderedPodSecurityContext.RunAsUser).To(Equal(int64(runAsUser)))
Expect(*renderedPodSecurityContext.FSGroup).To(Equal(int64(runAsGroup)))
}

},
Entry("Global floatingUserId is true", true),
Entry("Global floatingUserId is false", false),
)

Describe("rendering template env vars", func() {
var tmpDir string

Expand Down
3 changes: 3 additions & 0 deletions codegen/model/chart.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,9 @@ type Operator struct {
//
// E.g: `and (.Values.operator.customValueA) (.Values.operator.customValueB)`
CustomEnableCondition string

// Optional: if specified, will use this path in rendering template logic
GlobalFloatingUserIdPath string
}

func (o Operator) FormattedName() string {
Expand Down
12 changes: 12 additions & 0 deletions codegen/templates/chart/operator-deployment.yamltmpl
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ spec:
spec:
serviceAccountName: [[ $operator.Name ]]
{{- /* Override the default podSecurityContext config if it is set. */}}
[[- /* the GlobalFloatingUserId is expected to disable the pod security context */ -]]
[[- if $operator.GlobalFloatingUserIdPath ]]
{{- if not [[ $operator.GlobalFloatingUserIdPath ]] }}
[[- end ]]
{{- if or ([[ (opVar $operator) ]].podSecurityContext) (eq "map[]" (printf "%v" [[ (opVar $operator) ]].podSecurityContext)) }}
securityContext:
{{ toYaml [[ (opVar $operator) ]].podSecurityContext | indent 8 }}
Expand All @@ -96,6 +100,9 @@ spec:
[[ toYaml $podSecurityContext | indent 8 ]]
[[- end ]]
{{- end }}
[[- if $operator.GlobalFloatingUserIdPath ]] [[/* end the "if" if GlobalFloatingUserId is being checked */]]
{{- end }}
[[- end ]]
[[- if $volumes ]]
volumes:
[[ toYaml $volumes | indent 6 ]]
Expand Down Expand Up @@ -201,7 +208,12 @@ spec:
{}
{{- else}}
runAsNonRoot: true
[[- /* if there is a GlobalFloatingUserIdPath add it to the runAsuser logic */ -]]
[[- if $operator.GlobalFloatingUserIdPath ]]
{{- if not (or $[[ $operatorVar ]].floatingUserId [[ $operator.GlobalFloatingUserIdPath ]]) }}
[[- else ]]
{{- if not $[[ $operatorVar ]].floatingUserId }}
[[- end ]]
runAsUser: {{ printf "%.0f" (float64 $[[ $operatorVar ]].runAsUser) }}
{{- end }}
readOnlyRootFilesystem: true
Expand Down
Loading