8000 [Bugfix] Pass SecurityContext Pod Settings for SELinux and Seccomp (#… · arangodb/kube-arangodb@5f032c4 · GitHub
[go: up one dir, main page]
8000
Skip to content

Commit 5f032c4

Browse files
ajanikowajanikow
authored
[Bugfix] Pass SecurityContext Pod Settings for SELinux and Seccomp (#1643)
1 parent 2fc8638 commit 5f032c4

File tree

5 files changed

+121
-2
lines changed

5 files changed

+121
-2
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
- (Bugfix) Use Rendered Spec in case of scheduling compare
2323
- (Feature) 10000 Parametrize Scheduling Graceful Duration
2424
- (Bugfix) Change Accepted Spec Propagation
25+
- (Bugfix) Pass SecurityContext Pod Settings for SELinux and Seccomp
2526

2627
## [1.2.39](https://github.com/arangodb/kube-arangodb/tree/1.2.39) (2024-03-11)
2728
- (Feature) Extract Scheduler API

pkg/apis/deployment/v1/server_group_security_context_spec.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,15 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
116116
}
117117
}
118118

119+
if s != nil {
120+
if psc == nil {
121+
psc = &core.PodSecurityContext{}
122+
}
123+
124+
psc.SeccompProfile = s.SeccompProfile.DeepCopy()
125+
psc.SELinuxOptions = s.SELinuxOptions.DeepCopy()
126+
}
127+
119128
if s != nil && len(s.Sysctls) > 0 {
120129
var sysctls []core.Sysctl
121130
for k, v := range s.Sysctls {

pkg/apis/deployment/v1/server_group_security_context_spec_test.go

Lines changed: 51 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
//
22
// DISCLAIMER
33
//
4-
// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
4+
// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
55
//
66
// Licensed under the Apache License, Version 2.0 (the "License");
77
// you may not use this file except in compliance with the License.
@@ -101,6 +101,28 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
101101
},
102102
},
103103
},
104+
"pass seccompProfile opts": {
105+
sc: &ServerGroupSpecSecurityContext{
106+
SeccompProfile: &core.SeccompProfile{
107+
Type: core.SeccompProfileTypeRuntimeDefault,
108+
},
109+
},
110+
secured: false,
111+
want: &core.PodSecurityContext{
112+
SeccompProfile: &core.SeccompProfile{
113+
Type: core.SeccompProfileTypeRuntimeDefault,
114+
},
115+
},
116+
},
117+
"pass seLinuxOptions opts": {
118+
sc: &ServerGroupSpecSecurityContext{
119+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
120+
},
121+
secured: false,
122+
want: &core.PodSecurityContext{
123+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
124+
},
125+
},
104126
}
105127

106128
for testName, testCase := range testCases {
@@ -225,6 +247,34 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
225247
RunAsUser: util.NewType[int64](3001),
226248
},
227249
},
250+
"pass seccompProfile opts": {
251+
sc: &ServerGroupSpecSecurityContext{
252+
SeccompProfile: &core.SeccompProfile{
253+
Type: core.SeccompProfileTypeRuntimeDefault,
254+
},
255+
},
256+
secured: false,
257+
want: &core.SecurityContext{
258+
Capabilities: &core.Capabilities{
259+
Drop: []core.Capability{"ALL"},
260+
},
261+
SeccompProfile: &core.SeccompProfile{
262+
Type: core.SeccompProfileTypeRuntimeDefault,
263+
},
264+
},
265+
},
266+
"pass seLinuxOptions opts": {
267+
sc: &ServerGroupSpecSecurityContext{
268+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
269+
},
270+
secured: false,
271+
want: &core.SecurityContext{
272+
Capabilities: &core.Capabilities{
273+
Drop: []core.Capability{"ALL"},
274+
},
275+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
276+
},
277+
},
228278
}
229279

230280
for testName, testCase := range tests {

pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,15 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
116116
}
117117
}
118118

< 32D8 /code>119+
if s != nil {
120+
if psc == nil {
121+
psc = &core.PodSecurityContext{}
122+
}
123+
124+
psc.SeccompProfile = s.SeccompProfile.DeepCopy()
125+
psc.SELinuxOptions = s.SELinuxOptions.DeepCopy()
126+
}
127+
119128
if s != nil && len(s.Sysctls) > 0 {
120129
var sysctls []core.Sysctl
121130
for k, v := range s.Sysctls {

pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go

Lines changed: 51 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
//
22
// DISCLAIMER
33
//
4-
// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
4+
// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
55
//
66
// Licensed under the Apache License, Version 2.0 (the "License");
77
// you may not use this file except in compliance with the License.
@@ -101,6 +101,28 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
101101
},
102102
},
103103
},
104+
"pass seccompProfile opts": {
105+
sc: &ServerGroupSpecSecurityContext{
106+
SeccompProfile: &core.SeccompProfile{
107+
Type: core.SeccompProfileTypeRuntimeDefault,
108+
},
109+
},
110+
secured: false,
111+
want: &core.PodSecurityContext{
112+
SeccompProfile: &core.SeccompProfile{
113+
Type: core.SeccompProfileTypeRuntimeDefault,
114+
},
115+
},
116+
},
117+
"pass seLinuxOptions opts": {
118+
sc: &ServerGroupSpecSecurityContext{
119+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
120+
},
121+
secured: false,
122+
want: &core.PodSecurityContext{
123+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
124+
},
125+
},
104126
}
105127

106128
for testName, testCase := range testCases {
@@ -225,6 +247,34 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
225247
RunAsUser: util.NewType[int64](3001),
226248
},
227249
},
250+
"pass seccompProfile opts": {
251+
sc: &ServerGroupSpecSecurityContext{
252+
SeccompProfile: &core.SeccompProfile{
253+
Type: core.SeccompProfileTypeRuntimeDefault,
254+
},
255+
},
256+
secured: false,
257+
want: &core.SecurityContext{
258+
Capabilities: &core.Capabilities{
259+
Drop: []core.Capability{"ALL"},
260+
},
261+
SeccompProfile: &core.SeccompProfile{
262+
Type: core.SeccompProfileTypeRuntimeDefault,
263+
},
264+
},
265+
},
266+
"pass seLinuxOptions opts": {
267+
sc: &ServerGroupSpecSecurityContext{
268+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
269+
},
270+
secured: false,
271+
want: &core.SecurityContext{
272+
Capabilities: &core.Capabilities{
273+
Drop: []core.Capability{"ALL"},
274+
},
275+
SELinuxOptions: &core.SELinuxOptions{Type: "test"},
276+
},
277+
},
228278
}
229279

230280
for testName, testCase := range tests {

0 commit comments

Comments
 (0)
0