diff --git a/api/v1alpha1/k6_types.go b/api/v1alpha1/k6_types.go index a1e0fbf7..400c3f3c 100644 --- a/api/v1alpha1/k6_types.go +++ b/api/v1alpha1/k6_types.go @@ -39,6 +39,7 @@ type Pod struct { Resources corev1.ResourceRequirements `json:"resources,omitempty"` ServiceAccountName string `json:"serviceAccountName,omitempty"` SecurityContext corev1.PodSecurityContext `json:"securityContext,omitempty"` + ContainerSecurityContext corev1.SecurityContext `json:"containerSecurityContext,omitempty"` EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"` ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"` LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"` diff --git a/charts/k6-operator/Chart.yaml b/charts/k6-operator/Chart.yaml index 642eeda5..1b747570 100644 --- a/charts/k6-operator/Chart.yaml +++ b/charts/k6-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "0.0.12" description: A Helm chart to install the k6-operator name: k6-operator -version: 3.3.0 +version: 3.4.0 kubeVersion: ">=1.16.0-0" home: https://k6.io sources: diff --git a/charts/k6-operator/README.md b/charts/k6-operator/README.md index e847a1f6..7020df77 100644 --- a/charts/k6-operator/README.md +++ b/charts/k6-operator/README.md @@ -1,6 +1,6 @@ # k6-operator -![Version: 3.1.0](https://img.shields.io/badge/Version-3.1.0-informational?style=flat-square) ![AppVersion: 0.0.11](https://img.shields.io/badge/AppVersion-0.0.11-informational?style=flat-square) +![Version: 3.4.0](https://img.shields.io/badge/Version-3.4.0-informational?style=flat-square) ![AppVersion: 0.0.12](https://img.shields.io/badge/AppVersion-0.0.12-informational?style=flat-square) A Helm chart to install the k6-operator @@ -38,7 +38,7 @@ Kubernetes: `>=1.16.0-0` | manager.env | object | `{}` | Environment variables to be applied on the controller | | manager.image.name | string | `"ghcr.io/grafana/k6-operator"` | controller-manager image name | | manager.image.pullPolicy | string | `"Always"` | pull policy for the image possible values Always, Never, IfNotPresent (default: Always) | -| manager.image.tag | string | `"controller-v0.0.11"` | controller-manager image tag | +| manager.image.tag | string | `"controller-v0.0.12"` | controller-manager image tag | | manager.livenessProbe | object | `{}` | Liveness probe in Probe format | | manager.readinessProbe | object | `{}` | Readiness probe in Probe format | | manager.replicas | int | `1` | number of controller-manager replicas (default: 1) | diff --git a/charts/k6-operator/templates/crds/k6.yaml b/charts/k6-operator/templates/crds/k6.yaml index 767a32eb..aab0fba7 100644 --- a/charts/k6-operator/templates/crds/k6.yaml +++ b/charts/k6-operator/templates/crds/k6.yaml @@ -884,6 +884,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -2479,6 +2540,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -4096,6 +4218,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: diff --git a/charts/k6-operator/templates/crds/testrun.yaml b/charts/k6-operator/templates/crds/testrun.yaml index e7b0438e..88717b83 100644 --- a/charts/k6-operator/templates/crds/testrun.yaml +++ b/charts/k6-operator/templates/crds/testrun.yaml @@ -886,6 +886,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -2481,6 +2542,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -4098,6 +4220,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: diff --git a/config/crd/bases/k6.io_k6s.yaml b/config/crd/bases/k6.io_k6s.yaml index 7946a209..18cb322a 100644 --- a/config/crd/bases/k6.io_k6s.yaml +++ b/config/crd/bases/k6.io_k6s.yaml @@ -414,6 +414,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -2103,6 +2164,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -3813,6 +3935,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: diff --git a/config/crd/bases/k6.io_testruns.yaml b/config/crd/bases/k6.io_testruns.yaml index 7b0ce871..204622f1 100644 --- a/config/crd/bases/k6.io_testruns.yaml +++ b/config/crd/bases/k6.io_testruns.yaml @@ -412,6 +412,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -2101,6 +2162,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -3811,6 +3933,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: diff --git a/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml b/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml new file mode 100644 index 00000000..e8b230ba --- /dev/null +++ b/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: k6.io/v1alpha1 +kind: TestRun +metadata: + name: k6-sample +spec: + parallelism: 4 + script: + configMap: + name: k6-test + file: test.js + initializer: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 + starter: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 + runner: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 diff --git a/pkg/resources/containers/curl_start.go b/pkg/resources/containers/curl_start.go index 25ee949c..ca14b0d8 100644 --- a/pkg/resources/containers/curl_start.go +++ b/pkg/resources/containers/curl_start.go @@ -12,7 +12,7 @@ import ( ) // NewStartContainer is used to get a template for a new k6 starting curl container. -func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar) corev1.Container { +func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar, securityContext corev1.SecurityContext) corev1.Container { req, _ := json.Marshal( types.StatusAPIRequest{ Data: types.StatusAPIRequestData{ @@ -48,5 +48,6 @@ func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1. command, strings.Join(parts, ";"), ), + SecurityContext: &securityContext, } } diff --git a/pkg/resources/containers/curl_stop.go b/pkg/resources/containers/curl_stop.go index bc71fa3e..638055a4 100644 --- a/pkg/resources/containers/curl_stop.go +++ b/pkg/resources/containers/curl_stop.go @@ -12,7 +12,7 @@ import ( ) // NewStopContainer is used to get a template for a new k6 stop curl container. -func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar) corev1.Container { +func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar, securityContext corev1.SecurityContext) corev1.Container { req, _ := json.Marshal( types.StatusAPIRequest{ Data: types.StatusAPIRequestData{ @@ -48,5 +48,6 @@ func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.P command, strings.Join(parts, ";"), ), + SecurityContext: &securityContext, } } diff --git a/pkg/resources/jobs/helpers.go b/pkg/resources/jobs/helpers.go index df8fd014..ec25e815 100644 --- a/pkg/resources/jobs/helpers.go +++ b/pkg/resources/jobs/helpers.go @@ -139,6 +139,7 @@ func getInitContainers(k6Spec *v1alpha1.TestRunSpec, script *types.Script) []cor Env: k6InitContainer.Env, VolumeMounts: volumeMounts, ImagePullPolicy: k6Spec.Runner.ImagePullPolicy, + SecurityContext: &k6Spec.Runner.ContainerSecurityContext, } initContainers = append(initContainers, initContainer) } diff --git a/pkg/resources/jobs/initializer.go b/pkg/resources/jobs/initializer.go index 1b25449b..3e2e3ffb 100644 --- a/pkg/resources/jobs/initializer.go +++ b/pkg/resources/jobs/initializer.go @@ -125,6 +125,7 @@ func NewInitializerJob(k6 v1alpha1.TestRunI, argLine string) (*batchv1.Job, erro VolumeMounts: volumeMounts, EnvFrom: k6.GetSpec().Initializer.EnvFrom, Ports: ports, + SecurityContext: &k6.GetSpec().Initializer.ContainerSecurityContext, }, }, Volumes: volumes, diff --git a/pkg/resources/jobs/initializer_test.go b/pkg/resources/jobs/initializer_test.go index b1626ef8..868d13ef 100644 --- a/pkg/resources/jobs/initializer_test.go +++ b/pkg/resources/jobs/initializer_test.go @@ -75,9 +75,10 @@ func TestNewInitializerJob(t *testing.T) { }, }, }, - Resources: corev1.ResourceRequirements{}, - VolumeMounts: script.VolumeMount(), - Ports: []corev1.ContainerPort{{ContainerPort: 6565}}, + Resources: corev1.ResourceRequirements{}, + VolumeMounts: script.VolumeMount(), + Ports: []corev1.ContainerPort{{ContainerPort: 6565}}, + SecurityContext: &corev1.SecurityContext{}, }, }, Volumes: script.Volume(), diff --git a/pkg/resources/jobs/runner.go b/pkg/resources/jobs/runner.go index 9e56fb26..97108622 100644 --- a/pkg/resources/jobs/runner.go +++ b/pkg/resources/jobs/runner.go @@ -183,6 +183,7 @@ func NewRunnerJob(k6 v1alpha1.TestRunI, index int, token string) (*batchv1.Job, EnvFrom: k6.GetSpec().Runner.EnvFrom, LivenessProbe: generateProbe(k6.GetSpec().Runner.LivenessProbe), ReadinessProbe: generateProbe(k6.GetSpec().Runner.ReadinessProbe), + SecurityContext: &k6.GetSpec().Runner.ContainerSecurityContext, }}, TerminationGracePeriodSeconds: &zero, Volumes: volumes, diff --git a/pkg/resources/jobs/runner_test.go b/pkg/resources/jobs/runner_test.go index 9aa1e882..0765db49 100644 --- a/pkg/resources/jobs/runner_test.go +++ b/pkg/resources/jobs/runner_test.go @@ -356,6 +356,7 @@ func TestNewRunnerJob(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -479,6 +480,7 @@ func TestNewRunnerJobNoisy(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -593,6 +595,7 @@ func TestNewRunnerJobUnpaused(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -707,6 +710,7 @@ func TestNewRunnerJobArguments(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -822,6 +826,7 @@ func TestNewRunnerJobServiceAccount(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -951,6 +956,7 @@ func TestNewRunnerJobIstio(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1075,6 +1081,7 @@ func TestNewRunnerJobCloud(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1191,6 +1198,7 @@ func TestNewRunnerJobLocalFile(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1293,6 +1301,7 @@ func TestNewRunnerJobWithInitContainer(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }, }, Containers: []corev1.Container{{ @@ -1331,6 +1340,7 @@ func TestNewRunnerJobWithInitContainer(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1470,6 +1480,7 @@ func TestNewRunnerJobWithVolume(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }, }, Containers: []corev1.Container{{ @@ -1508,6 +1519,7 @@ func TestNewRunnerJobWithVolume(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: expectedVolumes, diff --git a/pkg/resources/jobs/starter.go b/pkg/resources/jobs/starter.go index ca8adffd..44ba5da9 100644 --- a/pkg/resources/jobs/starter.go +++ b/pkg/resources/jobs/starter.go @@ -67,7 +67,7 @@ func NewStarterJob(k6 v1alpha1.TestRunI, hostname []string) *batchv1.Job { SecurityContext: &k6.GetSpec().Starter.SecurityContext, ImagePullSecrets: k6.GetSpec().Starter.ImagePullSecrets, Containers: []corev1.Container{ - containers.NewStartContainer(hostname, starterImage, k6.GetSpec().Starter.ImagePullPolicy, command, env), + containers.NewStartContainer(hostname, starterImage, k6.GetSpec().Starter.ImagePullPolicy, command, env, k6.GetSpec().Starter.ContainerSecurityContext), }, }, }, diff --git a/pkg/resources/jobs/starter_test.go b/pkg/resources/jobs/starter_test.go index bb8281ae..b2d2347a 100644 --- a/pkg/resources/jobs/starter_test.go +++ b/pkg/resources/jobs/starter_test.go @@ -51,7 +51,7 @@ func TestNewStarterJob(t *testing.T) { SecurityContext: &corev1.PodSecurityContext{}, Containers: []corev1.Container{ containers.NewStartContainer([]string{"testing"}, "image", corev1.PullNever, []string{"sh", "-c"}, - []corev1.EnvVar{}), + []corev1.EnvVar{}, corev1.SecurityContext{}), }, }, }, @@ -143,7 +143,9 @@ func TestNewStarterJobIstio(t *testing.T) { { Name: "WAIT_FOR_ENVOY_TIMEOUT", Value: "15", - }}), + }}, + corev1.SecurityContext{}, + ), }, }, }, diff --git a/pkg/resources/jobs/stopper.go b/pkg/resources/jobs/stopper.go index 4476d7d7..2c19b3ee 100644 --- a/pkg/resources/jobs/stopper.go +++ b/pkg/resources/jobs/stopper.go @@ -25,7 +25,7 @@ func NewStopJob(k6 v1alpha1.TestRunI, hostname []string) *batchv1.Job { env := newIstioEnvVar(k6.GetSpec().Scuttle, istioEnabled) job.Spec.Template.Spec.Containers = []corev1.Container{ - containers.NewStopContainer(hostname, image, k6.GetSpec().Starter.ImagePullPolicy, command, env), + containers.NewStopContainer(hostname, image, k6.GetSpec().Starter.ImagePullPolicy, command, env, k6.GetSpec().Starter.ContainerSecurityContext), } return job diff --git a/pkg/resources/jobs/stopper_test.go b/pkg/resources/jobs/stopper_test.go index 6c4166e1..9f0829d8 100644 --- a/pkg/resources/jobs/stopper_test.go +++ b/pkg/resources/jobs/stopper_test.go @@ -50,7 +50,7 @@ func TestNewStopperJob(t *testing.T) { SecurityContext: &corev1.PodSecurityContext{}, Containers: []corev1.Container{ containers.NewStopContainer([]string{"testing"}, "image", corev1.PullNever, []string{"sh", "-c"}, - []corev1.EnvVar{}), + []corev1.EnvVar{}, corev1.SecurityContext{}), }, }, }, @@ -141,7 +141,9 @@ func TestNewStopJobIstio(t *testing.T) { { Name: "WAIT_FOR_ENVOY_TIMEOUT", Value: "15", - }}), + }}, + corev1.SecurityContext{}, + ), }, }, },