From a3f6e063239f7ba297077b2a5cee56b4fc0eaefe Mon Sep 17 00:00:00 2001 From: Sanket Date: Wed, 21 Feb 2024 02:43:46 +0530 Subject: [PATCH 1/3] added PodSecurityContext --- cmd/create.go | 27 ++++++++++++--------------- pkg/functions/function.go | 4 +++- pkg/knative/deployer.go | 13 ++++++++++++- schema/func_yaml-schema.json | 22 +++++++++++++++++++++- 4 files changed, 48 insertions(+), 18 deletions(-) diff --git a/cmd/create.go b/cmd/create.go index b123135113..11da512820 100644 --- a/cmd/create.go +++ b/cmd/create.go @@ -178,8 +178,19 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory) dirName string absolutePath string ) + client, done := newClient(ClientConfig{Verbose: cfg.Verbose}) + defer done() - if len(args) >= 1 { + // IN confirm mode. If also in an interactive terminal, run prompts. + if len(args)<1 { + createdCfg, err := cfg.prompt(client) + if err != nil { + return createdCfg, err + } + fmt.Println("Command:") + fmt.Println(singleCommand(cmd, args, createdCfg)) + return createdCfg, nil + }else { path = args[0] } @@ -206,20 +217,6 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory) // Create a tempoarary client for use by the following prompts to complete // runtime/template suggestions etc - client, done := newClient(ClientConfig{Verbose: cfg.Verbose}) - defer done() - - // IN confirm mode. If also in an interactive terminal, run prompts. - if interactiveTerminal() { - createdCfg, err := cfg.prompt(client) - if err != nil { - return createdCfg, err - } - fmt.Println("Command:") - fmt.Println(singleCommand(cmd, args, createdCfg)) - return createdCfg, nil - } - // Confirming, but noninteractive // Print out the final values as a confirmation. Only show Repository or // Repositories, not both (repository takes precedence) in order to avoid diff --git a/pkg/functions/function.go b/pkg/functions/function.go index 13ebe8bb44..459f8cc065 100644 --- a/pkg/functions/function.go +++ b/pkg/functions/function.go @@ -141,7 +141,9 @@ type RunSpec struct { // Env variables to be set Envs Envs `yaml:"envs,omitempty"` - + + // PodSecurityContext to be set for read and write permission + PodSecurityContext PodSecurityContext `yaml:"podSecurityContext, omitempty"` // StartTimeout specifies that this function should have a custom timeout // when starting. This setting is currently respected by the host runner, // with containerized docker runner and deployed Knative service integration diff --git a/pkg/knative/deployer.go b/pkg/knative/deployer.go index 26cb7455ee..19e201eaf5 100644 --- a/pkg/knative/deployer.go +++ b/pkg/knative/deployer.go @@ -435,7 +435,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator) (*v1.Service, for k, v := range annotations { revisionAnnotations[k] = v } - + PodSecurityContext := getPodSecurityContext(f.Run) service := &v1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: f.Name, @@ -451,6 +451,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator) (*v1.Service, }, Spec: v1.RevisionSpec{ PodSpec: corev1.PodSpec{ + SecurityContext: PodSecurityContext, Containers: []corev1.Container{ container, }, @@ -1075,3 +1076,13 @@ func setServiceOptions(template *v1.RevisionTemplateSpec, options fn.Options) er return servingclientlib.UpdateRevisionTemplateAnnotations(template, toUpdate, toRemove) } + +func getPodSecurityContext(RunSpec fn.RunSpec) *corev1.PodSecurityContext{ + return &corev1.PodSecurityContext{ + RunAsUser: RunSpec.PodSecurityContext.RunAsUser, + RunAsGroup: RunSpec.PodSecurityContext.RunAsGroup, + RunAsNonRoot: RunSpec.PodSecurityContext.RunAsNonRoot, + FSGroup: RunSpec.PodSecurityContext.FSGroup, + } + +} \ No newline at end of file diff --git a/schema/func_yaml-schema.json b/schema/func_yaml-schema.json index bad9f09de8..0bd5a035bb 100644 --- a/schema/func_yaml-schema.json +++ b/schema/func_yaml-schema.json @@ -16,7 +16,7 @@ } }, "type": "object", - "description": "BuilderImages define optional explicit builder images to use by\nbuilder implementations in leau of the in-code defaults. They key\nis the builder's short name. For example:\nbuilderImages:\n pack: example.com/user/my-pack-node-builder\n s2i: example.com/user/my-s2i-node-builder" + "description// with containerized docker runner and deployed Knative service integration": "BuilderImages define optional explicit builder images to use by\nbuilder implementations in leau of the in-code defaults. They key\nis the builder's short name. For example:\nbuilderImages:\n pack: example.com/user/my-pack-node-builder\n s2i: example.com/user/my-s2i-node-builder" }, "buildpacks": { "items": { @@ -352,6 +352,26 @@ "type": "array", "description": "Env variables to be set" }, + "podSecurityContext": { + "properties": { + "RunAsUser": { + "pattern": "^[-._a-zA-Z][-._a-zA-Z0-9]*$", + "type": "integer" + }, + "RunAsGroup": { + "type": "integer" + }, + "RunAsNonRoot":{ + "type": "boolean" + }, + "FSGroup":{ + "type":"integer" + } + }, + "additionalProperties": false, + "type": "object" + + }, "startTimeout": { "type": "integer", "description": "StartTimeout specifies that this function should have a custom timeout\nwhen starting. This setting is currently respected by the host runner,\nwith containerized docker runner and deployed Knative service integration\nin development." From 195733f446cf095df3fcd8a201893a3a05dd6c43 Mon Sep 17 00:00:00 2001 From: Sanket Date: Wed, 21 Feb 2024 02:56:45 +0530 Subject: [PATCH 2/3] restored create cmd --- cmd/create.go | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/cmd/create.go b/cmd/create.go index 11da512820..4263c0cb94 100644 --- a/cmd/create.go +++ b/cmd/create.go @@ -178,19 +178,8 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory) dirName string absolutePath string ) - client, done := newClient(ClientConfig{Verbose: cfg.Verbose}) - defer done() - // IN confirm mode. If also in an interactive terminal, run prompts. - if len(args)<1 { - createdCfg, err := cfg.prompt(client) - if err != nil { - return createdCfg, err - } - fmt.Println("Command:") - fmt.Println(singleCommand(cmd, args, createdCfg)) - return createdCfg, nil - }else { + if len(args) >= 1 { path = args[0] } @@ -217,6 +206,20 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory) // Create a tempoarary client for use by the following prompts to complete // runtime/template suggestions etc + client, done := newClient(ClientConfig{Verbose: cfg.Verbose}) + defer done() + + // IN confirm mode. If also in an interactive terminal, run prompts. + if interactiveTerminal() { + createdCfg, err := cfg.prompt(client) + if err != nil { + return createdCfg, err + } + fmt.Println("Command:") + fmt.Println(singleCommand(cmd, args, createdCfg)) + return createdCfg, nil + } + // Confirming, but noninteractive // Print out the final values as a confirmation. Only show Repository or // Repositories, not both (repository takes precedence) in order to avoid @@ -565,4 +568,4 @@ func RuntimeTemplateOptions(client *fn.Client) (string, error) { } writer.Flush() return builder.String(), nil -} +} \ No newline at end of file From 2091749a7d6af85a05890ca3021b8d27ecf23ccc Mon Sep 17 00:00:00 2001 From: Sanket Date: Wed, 21 Feb 2024 03:08:02 +0530 Subject: [PATCH 3/3] added the struct --- pkg/functions/function_security.go | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 pkg/functions/function_security.go diff --git a/pkg/functions/function_security.go b/pkg/functions/function_security.go new file mode 100644 index 0000000000..08bbc5ea94 --- /dev/null +++ b/pkg/functions/function_security.go @@ -0,0 +1,8 @@ +package functions + +type PodSecurityContext struct { + RunAsUser *int64 `yaml:"RunAsUser,omitempty"` + RunAsGroup *int64 `yaml:"RunAsGroup,omitempty"` + RunAsNonRoot *bool `yaml:"RunAsNonRoot,omitempty"` + FSGroup *int64 `yaml:"FSGroup,omitempty"` +}