Handle validation when value for runAsGroup and runAsUser is empty #1747
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,9 +28,11 @@ const ( | |
| defaultServiceAccountKey = "default-service-account" | ||
| defaultRunAsUserKey = "default-run-as-user" | ||
| defaultRunAsGroupKey = "default-run-as-group" | ||
| defaultRunAsNonRootKey = "default-run-as-non-root" | ||
| DefaultServiceAccountValue = "default" | ||
| defaultRunAsUserValue = 65532 | ||
| defaultRunAsGroupValue = 65532 | ||
| defaultRunAsNonRootValue = true | ||
| ) | ||
|
|
||
| // Defaults holds the default configurations | ||
|
|
@@ -39,6 +41,11 @@ type Defaults struct { | |
| DefaultServiceAccount string | ||
| DefaultRunAsUser int64 | ||
|
There was a problem hiding this comment. we dont need these default if we want to keep empty value in cm There was a problem hiding this comment. As mentioned here #1747 (comment) imo if user don't set empty then we can set them with default values It shouldn't be mandatory that user has to set values through CM its completely optional (which is the current behavior ) Only thing is now we are providing way to configure different values by providing those keys in CM or remove default values for those keys if they don't want by setting |
||
| DefaultRunAsGroup int64 | ||
| DefaultRunAsNonRoot bool | ||
| // These two fields are used to decide whether to configure | ||
| // runAsUser and runAsGroup within a Security Context Constraint (SCC). | ||
| IsDefaultRunAsUserEmpty bool | ||
| IsDefaultRunAsGroupEmpty bool | ||
| } | ||
|
|
||
| // GetDefaultsConfigName returns the name of the configmap containing all | ||
|
|
@@ -62,7 +69,8 @@ func (cfg *Defaults) Equals(other *Defaults) bool { | |
|
|
||
| return other.DefaultServiceAccount == cfg.DefaultServiceAccount && | ||
| other.DefaultRunAsUser == cfg.DefaultRunAsUser && | ||
| other.DefaultRunAsGroup == cfg.DefaultRunAsGroup && | ||
| other.DefaultRunAsNonRoot == cfg.DefaultRunAsNonRoot | ||
| } | ||
|
|
||
| // NewDefaultsFromMap returns a Config given a map corresponding to a ConfigMap | ||
|
|
@@ -71,36 +79,53 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) { | |
| DefaultServiceAccount: DefaultServiceAccountValue, | ||
| DefaultRunAsUser: defaultRunAsUserValue, | ||
| DefaultRunAsGroup: defaultRunAsGroupValue, | ||
| DefaultRunAsNonRoot: defaultRunAsNonRootValue, | ||
| } | ||
|
|
||
| if defaultServiceAccount, ok := cfgMap[defaultServiceAccountKey]; ok { | ||
| tc.DefaultServiceAccount = defaultServiceAccount | ||
| } | ||
|
|
||
| if defaultRunAsUser, ok := cfgMap[defaultRunAsUserKey]; ok { | ||
khrm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| if defaultRunAsUser != "" { | ||
| runAsUser, err := strconv.ParseInt(defaultRunAsUser, 10, 0) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed parsing runAsUser config %q", defaultRunAsUser) | ||
| } | ||
| tc.DefaultRunAsUser = runAsUser | ||
| } else { | ||
| // if runAsUser is "" don't set runAsUser in SCC | ||
| tc.IsDefaultRunAsUserEmpty = true | ||
| } | ||
| } | ||
|
|
||
| if defaultRunAsGroup, ok := cfgMap[defaultRunAsGroupKey]; ok { | ||
| if defaultRunAsGroup != "" { | ||
| runAsGroup, err := strconv.ParseInt(defaultRunAsGroup, 10, 0) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed parsing runAsGroup config %q", defaultRunAsGroup) | ||
| } | ||
| tc.DefaultRunAsGroup = runAsGroup | ||
| } else { | ||
| // if runAsGroup is "" don't set runAsGroup in SCC | ||
| tc.IsDefaultRunAsGroupEmpty = true | ||
| } | ||
| } | ||
|
|
||
| if defaultRunAsNonRoot, ok := cfgMap[defaultRunAsNonRootKey]; ok { | ||
| if defaultRunAsNonRoot != "" { | ||
| runAsNonRoot, err := strconv.ParseBool(defaultRunAsNonRoot) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed parsing runAsNonRoot config %q", defaultRunAsNonRoot) | ||
| } | ||
| tc.DefaultRunAsNonRoot = runAsNonRoot | ||
| } else { | ||
| // if "" value is provided via configmap set back to default value which is true | ||
| tc.DefaultRunAsNonRoot = defaultRunAsNonRootValue | ||
| } | ||
|
|
||
| } | ||
|
|
||
| return &tc, nil | ||
| } | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think we should default set them empty, and if user wants they can set as their desired value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those values were set from starting and now if we remove we might break behavior
IMO its okay to set some default values when user won't set anything
We are setting default values here https://github.com/tektoncd/triggers/pull/1747/files#diff-572521168fb33345a93f07ab72e633d00cccb422144d8a05399a6fa98cb12025R33-R35
In the config-defaults-triggers.yaml is sample example to show how user can set as its under
_example: |