From 2bd002e7f6fbe28d6823fad6d6186646e19f14e1 Mon Sep 17 00:00:00 2001 From: Adam Janikowski <12255597+ajanikow@users.noreply.github.com> Date: Thu, 20 Jul 2023 13:25:54 +0200 Subject: [PATCH] [Feature] Expose core.PodSecurityContext Sysctl options (#1360) --- .gitattributes | 3 +- CHANGELOG.md | 1 + docs/api/ArangoDeployment.V1.md | 315 +++++++++++++----- .../v1/server_group_security_context_spec.go | 34 ++ ...server_group_security_context_spec_test.go | 59 ++++ pkg/apis/deployment/v1/timeouts.go | 2 +- .../deployment/v1/zz_generated.deepcopy.go | 8 + .../server_group_security_context_spec.go | 34 ++ ...server_group_security_context_spec_test.go | 59 ++++ pkg/apis/deployment/v2alpha1/timeouts.go | 4 +- .../v2alpha1/zz_generated.deepcopy.go | 8 + 11 files changed, 439 insertions(+), 88 deletions(-) diff --git a/.gitattributes b/.gitattributes index 867879420..c7d74c7a6 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,3 @@ pkg/generated/** linguist-generated -**/zz_generated.deepcopy.go linguist-generated \ No newline at end of file +**/zz_generated.deepcopy.go linguist-generated +pkg/api/** linguist-generated \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c8d9258e..babd5d39a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ - (Feature) Backup lifetime - remove Backup once its lifetime has been reached - (Feature) Add Feature dependency - (Feature) Run secured containers as a feature +- (Feature) Expose core.PodSecurityContext Sysctl options ## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14) - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode diff --git a/docs/api/ArangoDeployment.V1.md b/docs/api/ArangoDeployment.V1.md index 8d5927299..c21b45ae6 100644 --- a/docs/api/ArangoDeployment.V1.md +++ b/docs/api/ArangoDeployment.V1.md @@ -327,11 +327,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.agents.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.agents.securityContext.dropAllCapabilities: bool @@ -339,31 +339,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.agents.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.agents.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.agents.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.agents.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.agents.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.agents.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.agents.securityContext.seccompProfile: core.SeccompProfile @@ -372,7 +372,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.agents.securityContext.seLinuxOptions: core.SELinuxOptions @@ -381,11 +381,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.agents.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.agents.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.agents.serviceAccountName: string @@ -917,11 +938,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.coordinators.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.coordinators.securityContext.dropAllCapabilities: bool @@ -929,31 +950,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.coordinators.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.coordinators.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.coordinators.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.coordinators.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.coordinators.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.coordinators.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.coordinators.securityContext.seccompProfile: core.SeccompProfile @@ -962,7 +983,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.coordinators.securityContext.seLinuxOptions: core.SELinuxOptions @@ -971,11 +992,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.coordinators.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.coordinators.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.coordinators.serviceAccountName: string @@ -1439,11 +1481,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.dbservers.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.dbservers.securityContext.dropAllCapabilities: bool @@ -1451,31 +1493,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.dbservers.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.dbservers.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.dbservers.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.dbservers.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.dbservers.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.dbservers.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.dbservers.securityContext.seccompProfile: core.SeccompProfile @@ -1484,7 +1526,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.dbservers.securityContext.seLinuxOptions: core.SELinuxOptions @@ -1493,11 +1535,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.dbservers.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.dbservers.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.dbservers.serviceAccountName: string @@ -1748,11 +1811,11 @@ Code Reference: [server_id_group_spec.go:56](/pkg/apis/deployment/v1/server_id_g AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.id.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.id.securityContext.dropAllCapabilities: bool @@ -1760,31 +1823,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.id.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.id.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.id.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.id.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.id.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.id.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.id.securityContext.seccompProfile: core.SeccompProfile @@ -1793,7 +1856,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.id.securityContext.seLinuxOptions: core.SELinuxOptions @@ -1802,11 +1865,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.id.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.id.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.id.serviceAccountName: string @@ -2290,11 +2374,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.single.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.single.securityContext.dropAllCapabilities: bool @@ -2302,31 +2386,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.single.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.single.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.single.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.single.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.single.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.single.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.single.securityContext.seccompProfile: core.SeccompProfile @@ -2335,7 +2419,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.single.securityContext.seLinuxOptions: core.SELinuxOptions @@ -2344,11 +2428,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.single.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.single.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.single.serviceAccountName: string @@ -2902,11 +3007,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.syncmasters.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.syncmasters.securityContext.dropAllCapabilities: bool @@ -2914,31 +3019,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.syncmasters.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.syncmasters.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.syncmasters.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.syncmasters.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.syncmasters.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.syncmasters.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.syncmasters.securityContext.seccompProfile: core.SeccompProfile @@ -2947,7 +3052,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.syncmasters.securityContext.seLinuxOptions: core.SELinuxOptions @@ -2956,11 +3061,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.syncmasters.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.syncmasters.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.syncmasters.serviceAccountName: string @@ -3418,11 +3544,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s AddCapabilities add new capabilities to containers -Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) +Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43) ### .spec.syncworkers.securityContext.allowPrivilegeEscalation: bool -Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) +Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) ### .spec.syncworkers.securityContext.dropAllCapabilities: bool @@ -3430,31 +3556,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. -Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) +Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41) ### .spec.syncworkers.securityContext.fsGroup: int64 -Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) +Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53) ### .spec.syncworkers.securityContext.privileged: bool -Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) +Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) ### .spec.syncworkers.securityContext.readOnlyRootFilesystem: bool -Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) +Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) ### .spec.syncworkers.securityContext.runAsGroup: int64 -Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) +Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50) ### .spec.syncworkers.securityContext.runAsNonRoot: bool -Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) +Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) ### .spec.syncworkers.securityContext.runAsUser: int64 -Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) +Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) ### .spec.syncworkers.securityContext.seccompProfile: core.SeccompProfile @@ -3463,7 +3589,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof Links: * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) -Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) +Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69) ### .spec.syncworkers.securityContext.seLinuxOptions: core.SELinuxOptions @@ -3472,11 +3598,32 @@ SELinuxOptions are the labels to be applied to the container Links: * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) -Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) +Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74) ### .spec.syncworkers.securityContext.supplementalGroups: []int64 -Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) +Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) + +### .spec.syncworkers.securityContext.sysctls: map[string]intstr.IntOrString + +Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + +sysctls (by the container runtime) might fail to launch. + +Map Value can be String or Int + +Links: +* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +Example: +```yaml +sysctls: + "kernel.shm_rmid_forced": "0" + "net.core.somaxconn": 1024 + "kernel.msgmax": "65536" +``` + +Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64) ### .spec.syncworkers.serviceAccountName: string diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec.go b/pkg/apis/deployment/v1/server_group_security_context_spec.go index 11dbb97ca..2b892bf58 100644 --- a/pkg/apis/deployment/v1/server_group_security_context_spec.go +++ b/pkg/apis/deployment/v1/server_group_security_context_spec.go @@ -21,7 +21,10 @@ package v1 import ( + "sort" + core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct { SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` FSGroup *int64 `json:"fsGroup,omitempty"` + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Map Value can be String or Int + // +doc/example: sysctls: + // +doc/example: "kernel.shm_rmid_forced": "0" + // +doc/example: "net.core.somaxconn": 1024 + // +doc/example: "kernel.msgmax": "65536" + // +doc/type: map[string]intstr.IntOrString + // +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"` + // SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. // +doc/type: core.SeccompProfile // +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core @@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co } } + if s != nil && len(s.Sysctls) > 0 { + var sysctls []core.Sysctl + for k, v := range s.Sysctls { + sysctls = append(sysctls, core.Sysctl{ + Name: k, + Value: v.String(), + }) + } + + sort.Slice(sysctls, func(i, j int) bool { + return sysctls[i].Name < sysctls[j].Name + }) + + if psc == nil { + psc = &core.PodSecurityContext{} + } + + psc.Sysctls = sysctls + } + if secured { if psc == nil { psc = &core.PodSecurityContext{} diff --git a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go index 80b83f5fc..b7d7a5d3f 100644 --- a/pkg/apis/deployment/v1/server_group_security_context_spec_test.go +++ b/pkg/apis/deployment/v1/server_group_security_context_spec_test.go @@ -21,10 +21,13 @@ package v1 import ( + "encoding/json" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { SupplementalGroups: []int64{1}, }, }, + "pass sysctl opts": { + sc: &ServerGroupSpecSecurityContext{ + Sysctls: map[string]intstr.IntOrString{ + "opt.1": intstr.FromInt(1), + "opt.2": intstr.FromString("2"), + }, + }, + secured: false, + want: &core.PodSecurityContext{ + Sysctls: []core.Sysctl{ + { + Name: "opt.1", + Value: "1", + }, + { + Name: "opt.2", + Value: "2", + }, + }, + }, + }, } for testName, testCase := range testCases { @@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { } } +func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) { + testCases := map[string]struct { + sc string + secured bool + want *core.PodSecurityContext + }{ + "pass sysctl opts": { + sc: `{"sysctls":{"opt.1":1, "opt.2":"2"}}`, + secured: false, + want: &core.PodSecurityContext{ + Sysctls: []core.Sysctl{ + { + Name: "opt.1", + Value: "1", + }, + { + Name: "opt.2", + Value: "2", + }, + }, + }, + }, + } + + for testName, testCase := range testCases { + t.Run(testName, func(t *testing.T) { + var p ServerGroupSpecSecurityContext + require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p)) + + actual := p.NewPodSecurityContext(testCase.secured) + assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured) + }) + } +} + func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { tests := map[string]struct { sc *ServerGroupSpecSecurityContext diff --git a/pkg/apis/deployment/v1/timeouts.go b/pkg/apis/deployment/v1/timeouts.go index ee580ebd0..285e7783c 100644 --- a/pkg/apis/deployment/v1/timeouts.go +++ b/pkg/apis/deployment/v1/timeouts.go @@ -1,7 +1,7 @@ // // DISCLAIMER // -// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany +// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/pkg/apis/deployment/v1/zz_generated.deepcopy.go b/pkg/apis/deployment/v1/zz_generated.deepcopy.go index 2a6c1ab09..8d5eb4ac0 100644 --- a/pkg/apis/deployment/v1/zz_generated.deepcopy.go +++ b/pkg/apis/deployment/v1/zz_generated.deepcopy.go @@ -32,6 +32,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + intstr "k8s.io/apimachinery/pkg/util/intstr" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur *out = new(int64) **out = **in } + if in.Sysctls != nil { + in, out := &in.Sysctls, &out.Sysctls + *out = make(map[string]intstr.IntOrString, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.SeccompProfile != nil { in, out := &in.SeccompProfile, &out.SeccompProfile *out = new(corev1.SeccompProfile) diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go index 7f44b72ea..103b6fe4d 100644 --- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go +++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go @@ -21,7 +21,10 @@ package v2alpha1 import ( + "sort" + core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct { SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` FSGroup *int64 `json:"fsGroup,omitempty"` + // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Map Value can be String or Int + // +doc/example: sysctls: + // +doc/example: "kernel.shm_rmid_forced": "0" + // +doc/example: "net.core.somaxconn": 1024 + // +doc/example: "kernel.msgmax": "65536" + // +doc/type: map[string]intstr.IntOrString + // +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"` + // SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. // +doc/type: core.SeccompProfile // +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core @@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co } } + if s != nil && len(s.Sysctls) > 0 { + var sysctls []core.Sysctl + for k, v := range s.Sysctls { + sysctls = append(sysctls, core.Sysctl{ + Name: k, + Value: v.String(), + }) + } + + sort.Slice(sysctls, func(i, j int) bool { + return sysctls[i].Name < sysctls[j].Name + }) + + if psc == nil { + psc = &core.PodSecurityContext{} + } + + psc.Sysctls = sysctls + } + if secured { if psc == nil { psc = &core.PodSecurityContext{} diff --git a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go index c66a69596..bb23b599b 100644 --- a/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go +++ b/pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go @@ -21,10 +21,13 @@ package v2alpha1 import ( + "encoding/json" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/arangodb/kube-arangodb/pkg/util" ) @@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { SupplementalGroups: []int64{1}, }, }, + "pass sysctl opts": { + sc: &ServerGroupSpecSecurityContext{ + Sysctls: map[string]intstr.IntOrString{ + "opt.1": intstr.FromInt(1), + "opt.2": intstr.FromString("2"), + }, + }, + secured: false, + want: &core.PodSecurityContext{ + Sysctls: []core.Sysctl{ + { + Name: "opt.1", + Value: "1", + }, + { + Name: "opt.2", + Value: "2", + }, + }, + }, + }, } for testName, testCase := range testCases { @@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) { } } +func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) { + testCases := map[string]struct { + sc string + secured bool + want *core.PodSecurityContext + }{ + "pass sysctl opts": { + sc: `{"sysctls":{"opt.1":1, "opt.2":"2"}}`, + secured: false, + want: &core.PodSecurityContext{ + Sysctls: []core.Sysctl{ + { + Name: "opt.1", + Value: "1", + }, + { + Name: "opt.2", + Value: "2", + }, + }, + }, + }, + } + + for testName, testCase := range testCases { + t.Run(testName, func(t *testing.T) { + var p ServerGroupSpecSecurityContext + require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p)) + + actual := p.NewPodSecurityContext(testCase.secured) + assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured) + }) + } +} + func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { tests := map[string]struct { sc *ServerGroupSpecSecurityContext diff --git a/pkg/apis/deployment/v2alpha1/timeouts.go b/pkg/apis/deployment/v2alpha1/timeouts.go index 3a2ec5591..865275766 100644 --- a/pkg/apis/deployment/v2alpha1/timeouts.go +++ b/pkg/apis/deployment/v2alpha1/timeouts.go @@ -1,7 +1,7 @@ // // DISCLAIMER // -// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany +// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ type Timeouts struct { // MaintenanceGracePeriod action timeout MaintenanceGracePeriod *Timeout `json:"maintenanceGracePeriod,omitempty"` - // Actions keep list of the actions timeouts. + // Actions keep map of the actions timeouts. // +doc/type: map[string]meta.Duration // +doc/link: List of supported action names|/docs/generated/actions.md // +doc/link: Definition of meta.Duration|https://github.com/kubernetes/apimachinery/blob/v0.26.6/pkg/apis/meta/v1/duration.go diff --git a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go index d39969623..18d6d8039 100644 --- a/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/deployment/v2alpha1/zz_generated.deepcopy.go @@ -32,6 +32,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" + intstr "k8s.io/apimachinery/pkg/util/intstr" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur *out = new(int64) **out = **in } + if in.Sysctls != nil { + in, out := &in.Sysctls, &out.Sysctls + *out = make(map[string]intstr.IntOrString, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.SeccompProfile != nil { in, out := &in.SeccompProfile, &out.SeccompProfile *out = new(v1.SeccompProfile)