From 9022bfdc5e9f8ab0118c636a5835cfaed009a14a Mon Sep 17 00:00:00 2001 From: kane8n Date: Fri, 31 May 2024 12:16:25 +0900 Subject: [PATCH] Supports PodSecurityContext and Gatling runner container securityContext --- api/v1alpha1/gatling_types.go | 8 + api/v1alpha1/zz_generated.deepcopy.go | 10 + ...tling-operator.tech.zozo.com_gatlings.yaml | 339 ++++++++++++++++++ config/manager/kustomization.yaml | 8 +- .../gatling-operator_v1alpha1_gatling01.yaml | 7 + controllers/gatling_controller.go | 48 ++- docs/api.md | 8 +- gatling/Dockerfile | 7 +- 8 files changed, 414 insertions(+), 21 deletions(-) diff --git a/api/v1alpha1/gatling_types.go b/api/v1alpha1/gatling_types.go index 13a6157..720d2bd 100644 --- a/api/v1alpha1/gatling_types.go +++ b/api/v1alpha1/gatling_types.go @@ -100,6 +100,14 @@ type PodSpec struct { // (Optional) volumes specification. // +kubebuilder:validation:Optional Volumes []corev1.Volume `json:"volumes,omitempty"` + + // (Optional) SecurityContext specification. + // +kubebuilder:validation:Optional + SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` + + // (Optional) RunecontainerSecurityContext specifies the SecurityContext of the Gatling runner container. + // +kubebuilder:validation:Optional + RunnerContainerSecurityContext *corev1.SecurityContext `json:"runnerContainerSecurityContext,omitempty"` } // TestScenarioSpec defines the load testing scenario diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index b37d417..79d1b2a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -209,6 +209,16 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(v1.PodSecurityContext) + (*in).DeepCopyInto(*out) + } + if in.RunnerContainerSecurityContext != nil { + in, out := &in.RunnerContainerSecurityContext, &out.RunnerContainerSecurityContext + *out = new(v1.SecurityContext) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSpec. diff --git a/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml b/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml index e72e55a..9e8f68d 100644 --- a/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml +++ b/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml @@ -2343,6 +2343,345 @@ spec: to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + runnerContainerSecurityContext: + description: (Optional) RunecontainerSecurityContext specifies + the SecurityContext of the Gatling runner container. + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a + process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the + container runtime. Note that this field cannot be set when + spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes in + privileged containers are essentially equivalent to root + on the host. Defaults to false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to use + for the containers. The default is DefaultProcMount which + uses the container runtime defaults for readonly paths and + masked paths. This requires the ProcMountType feature flag + to be enabled. Note that this field cannot be set when spec.os.name + is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. + Default is false. Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. Note + that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + securityContext: + description: (Optional) SecurityContext specification. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID. If unspecified, no groups will be added to any container. + Note that this field cannot be set when spec.os.name is + windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object serviceAccountName: description: (Required) ServiceAccountName specification. type: string diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 21a5685..96a118f 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,4 +1,8 @@ resources: - manager.yaml - -# This file will get modified by kustomize file. Please don't commit any changes to the git repo! +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: gatling-operator + newTag: 20240531-112150 diff --git a/config/samples/gatling-operator_v1alpha1_gatling01.yaml b/config/samples/gatling-operator_v1alpha1_gatling01.yaml index 09f6380..9af7dea 100644 --- a/config/samples/gatling-operator_v1alpha1_gatling01.yaml +++ b/config/samples/gatling-operator_v1alpha1_gatling01.yaml @@ -8,6 +8,13 @@ spec: notifyReport: false # The flag of notifying gatling report cleanupAfterJobDone: true # The flag of cleaning up gatling jobs resources after the job done podSpec: + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "1024 65535" + runnerContainerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 serviceAccountName: "gatling-operator-worker" gatlingImage: ghcr.io/st-tech/gatling:latest # Optional. Default: ghcr.io/st-tech/gatling:latest. The image that will be used for Gatling container. rcloneImage: rclone/rclone # Optional. Default: rclone/rclone:latest. The image that will be used for rclone conatiner. diff --git a/controllers/gatling_controller.go b/controllers/gatling_controller.go index 08c74cb..bcad597 100644 --- a/controllers/gatling_controller.go +++ b/controllers/gatling_controller.go @@ -563,6 +563,7 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga Affinity: r.getPodAffinity(gatling), Tolerations: r.getPodTolerations(gatling), ServiceAccountName: r.getPodServiceAccountName(gatling), + SecurityContext: r.getPodSecurityContext(gatling), InitContainers: []corev1.Container{ { Name: "gatling-waiter", @@ -580,13 +581,14 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga }, Containers: []corev1.Container{ { - Name: "gatling-runner", - Image: r.getGatlingContainerImage(gatling), - Command: []string{"/bin/sh", "-c"}, - Args: []string{gatlingRunnerCommand}, - Env: envVars, - Resources: r.getPodResources(gatling), - VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling), + Name: "gatling-runner", + Image: r.getGatlingContainerImage(gatling), + Command: []string{"/bin/sh", "-c"}, + Args: []string{gatlingRunnerCommand}, + Env: envVars, + Resources: r.getPodResources(gatling), + VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling), + SecurityContext: r.getRunnerContainerSecurityContext(gatling), }, { Name: "gatling-result-transferer", @@ -630,6 +632,7 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga Affinity: r.getPodAffinity(gatling), Tolerations: r.getPodTolerations(gatling), ServiceAccountName: r.getPodServiceAccountName(gatling), + SecurityContext: r.getPodSecurityContext(gatling), InitContainers: []corev1.Container{ { Name: "gatling-waiter", @@ -647,13 +650,14 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga }, Containers: []corev1.Container{ { - Name: "gatling-runner", - Image: r.getGatlingContainerImage(gatling), - Command: []string{"/bin/sh", "-c"}, - Args: []string{gatlingRunnerCommand}, - Env: envVars, - Resources: r.getPodResources(gatling), - VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling), + Name: "gatling-runner", + Image: r.getGatlingContainerImage(gatling), + Command: []string{"/bin/sh", "-c"}, + Args: []string{gatlingRunnerCommand}, + Env: envVars, + Resources: r.getPodResources(gatling), + VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling), + SecurityContext: r.getRunnerContainerSecurityContext(gatling), }, }, RestartPolicy: "Never", @@ -1110,6 +1114,22 @@ func (r *GatlingReconciler) getResultsDirectoryPath(gatling *gatlingv1alpha1.Gat return path } +func (r *GatlingReconciler) getPodSecurityContext(gatling *gatlingv1alpha1.Gatling) *corev1.PodSecurityContext { + securityContext := &corev1.PodSecurityContext{} + if &gatling.Spec.PodSpec != nil && &gatling.Spec.PodSpec.SecurityContext != nil { + securityContext = gatling.Spec.PodSpec.SecurityContext + } + return securityContext +} + +func (r *GatlingReconciler) getRunnerContainerSecurityContext(gatling *gatlingv1alpha1.Gatling) *corev1.SecurityContext { + securityContext := &corev1.SecurityContext{} + if &gatling.Spec.PodSpec != nil && &gatling.Spec.PodSpec.RunnerContainerSecurityContext != nil { + securityContext = gatling.Spec.PodSpec.RunnerContainerSecurityContext + } + return securityContext +} + func (r *GatlingReconciler) getGenerateLocalReport(gatling *gatlingv1alpha1.Gatling) bool { if &gatling.Spec.GenerateLocalReport == nil { return false diff --git a/docs/api.md b/docs/api.md index 5bdeb50..1b5fe75 100644 --- a/docs/api.md +++ b/docs/api.md @@ -24,8 +24,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `provider` _string_ | (Required) Provider specifies the cloud provider that will be used. -Supported providers: `aws`, `gcp`, and `azure` | +| `provider` _string_ | (Required) Provider specifies the cloud provider that will be used. Supported providers: `aws`, `gcp`, and `azure` | | `bucket` _string_ | (Required) Storage Bucket Name. | | `region` _string_ | (Optional) Region Name. | | `env` _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#envvar-v1-core) array_ | (Optional) Environment variables used for connecting to the cloud providers. | @@ -83,8 +82,7 @@ _Appears in:_ | Field | Description | | --- | --- | -| `provider` _string_ | (Required) Provider specifies notification service provider. -Supported providers: `slack` | +| `provider` _string_ | (Required) Provider specifies notification service provider. Supported providers: `slack` | | `secretName` _string_ | (Required) The name of secret in which all key/value sets needed for the notification are stored. | @@ -136,6 +134,8 @@ _Appears in:_ | `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#toleration-v1-core) array_ | (Optional) Tolerations specification. | | `serviceAccountName` _string_ | (Required) ServiceAccountName specification. | | `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volume-v1-core) array_ | (Optional) volumes specification. | +| `securityContext` _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core)_ | (Optional) SecurityContext specification. | +| `runnerContainerSecurityContext` _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core)_ | (Optional) RunecontainerSecurityContext specifies the SecurityContext of the Gatling runner container. | #### TestScenarioSpec diff --git a/gatling/Dockerfile b/gatling/Dockerfile index f57fb50..733f277 100644 --- a/gatling/Dockerfile +++ b/gatling/Dockerfile @@ -5,6 +5,10 @@ FROM openjdk:17-jdk-slim-bullseye +# create user/group +RUN groupadd -g 1000 gatling && \ + useradd -l -u 1000 -m gatling -g gatling + # working directory for gatling WORKDIR /opt @@ -22,7 +26,8 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y wget unzip && \ mkdir -p /tmp/archive && cd /tmp/archive && \ unzip /tmp/downloads/gatling-$GATLING_VERSION.zip && \ mv /tmp/archive/gatling-charts-highcharts-bundle-$GATLING_VERSION/* /opt/gatling/ && \ - rm -rf /opt/gatling/user-files/simulations/computerdatabase /tmp/* + rm -rf /opt/gatling/user-files/simulations/computerdatabase /tmp/* && \ + chown -R gatling:gatling /opt/gatling # change context to gatling directory WORKDIR /opt/gatling