From 1aa79ead80c6e3f3be4991c919cb8b2e1d43c7b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20=C5=81aszkiewicz?= Date: Wed, 6 Dec 2023 10:46:15 +0100 Subject: [PATCH 1/5] feat: container level security context --- api/v1alpha1/k6_types.go | 1 + charts/k6-operator/README.md | 2 +- charts/k6-operator/templates/crds/k6.yaml | 183 ++++++++++++++++++ .../k6-operator/templates/crds/testrun.yaml | 183 ++++++++++++++++++ config/crd/bases/k6.io_k6s.yaml | 183 ++++++++++++++++++ config/crd/bases/k6.io_testruns.yaml | 183 ++++++++++++++++++ pkg/resources/containers/curl_start.go | 3 +- pkg/resources/containers/curl_stop.go | 3 +- pkg/resources/jobs/initializer.go | 1 + pkg/resources/jobs/initializer_test.go | 1 + pkg/resources/jobs/runner.go | 1 + pkg/resources/jobs/runner_test.go | 10 + pkg/resources/jobs/starter.go | 2 +- pkg/resources/jobs/starter_test.go | 6 +- pkg/resources/jobs/stopper.go | 2 +- pkg/resources/jobs/stopper_test.go | 6 +- 16 files changed, 761 insertions(+), 9 deletions(-) diff --git a/api/v1alpha1/k6_types.go b/api/v1alpha1/k6_types.go index a1e0fbf7..400c3f3c 100644 --- a/api/v1alpha1/k6_types.go +++ b/api/v1alpha1/k6_types.go @@ -39,6 +39,7 @@ type Pod struct { Resources corev1.ResourceRequirements `json:"resources,omitempty"` ServiceAccountName string `json:"serviceAccountName,omitempty"` SecurityContext corev1.PodSecurityContext `json:"securityContext,omitempty"` + ContainerSecurityContext corev1.SecurityContext `json:"containerSecurityContext,omitempty"` EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"` ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"` LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"` diff --git a/charts/k6-operator/README.md b/charts/k6-operator/README.md index e847a1f6..a9f2cca8 100644 --- a/charts/k6-operator/README.md +++ b/charts/k6-operator/README.md @@ -1,6 +1,6 @@ # k6-operator -![Version: 3.1.0](https://img.shields.io/badge/Version-3.1.0-informational?style=flat-square) ![AppVersion: 0.0.11](https://img.shields.io/badge/AppVersion-0.0.11-informational?style=flat-square) +![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![AppVersion: 0.0.11](https://img.shields.io/badge/AppVersion-0.0.11-informational?style=flat-square) A Helm chart to install the k6-operator diff --git a/charts/k6-operator/templates/crds/k6.yaml b/charts/k6-operator/templates/crds/k6.yaml index 767a32eb..aab0fba7 100644 --- a/charts/k6-operator/templates/crds/k6.yaml +++ b/charts/k6-operator/templates/crds/k6.yaml @@ -884,6 +884,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -2479,6 +2540,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -4096,6 +4218,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: diff --git a/charts/k6-operator/templates/crds/testrun.yaml b/charts/k6-operator/templates/crds/testrun.yaml index e7b0438e..88717b83 100644 --- a/charts/k6-operator/templates/crds/testrun.yaml +++ b/charts/k6-operator/templates/crds/testrun.yaml @@ -886,6 +886,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -2481,6 +2542,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: @@ -4098,6 +4220,67 @@ spec: type: string type: object type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object serviceAccountName: type: string tolerations: diff --git a/config/crd/bases/k6.io_k6s.yaml b/config/crd/bases/k6.io_k6s.yaml index 7946a209..18cb322a 100644 --- a/config/crd/bases/k6.io_k6s.yaml +++ b/config/crd/bases/k6.io_k6s.yaml @@ -414,6 +414,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -2103,6 +2164,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -3813,6 +3935,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: diff --git a/config/crd/bases/k6.io_testruns.yaml b/config/crd/bases/k6.io_testruns.yaml index 7b0ce871..204622f1 100644 --- a/config/crd/bases/k6.io_testruns.yaml +++ b/config/crd/bases/k6.io_testruns.yaml @@ -412,6 +412,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -2101,6 +2162,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: @@ -3811,6 +3933,67 @@ spec: type: object automountServiceAccountToken: type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: diff --git a/pkg/resources/containers/curl_start.go b/pkg/resources/containers/curl_start.go index 25ee949c..ca14b0d8 100644 --- a/pkg/resources/containers/curl_start.go +++ b/pkg/resources/containers/curl_start.go @@ -12,7 +12,7 @@ import ( ) // NewStartContainer is used to get a template for a new k6 starting curl container. -func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar) corev1.Container { +func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar, securityContext corev1.SecurityContext) corev1.Container { req, _ := json.Marshal( types.StatusAPIRequest{ Data: types.StatusAPIRequestData{ @@ -48,5 +48,6 @@ func NewStartContainer(hostnames []string, image string, imagePullPolicy corev1. command, strings.Join(parts, ";"), ), + SecurityContext: &securityContext, } } diff --git a/pkg/resources/containers/curl_stop.go b/pkg/resources/containers/curl_stop.go index bc71fa3e..638055a4 100644 --- a/pkg/resources/containers/curl_stop.go +++ b/pkg/resources/containers/curl_stop.go @@ -12,7 +12,7 @@ import ( ) // NewStopContainer is used to get a template for a new k6 stop curl container. -func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar) corev1.Container { +func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.PullPolicy, command []string, env []corev1.EnvVar, securityContext corev1.SecurityContext) corev1.Container { req, _ := json.Marshal( types.StatusAPIRequest{ Data: types.StatusAPIRequestData{ @@ -48,5 +48,6 @@ func NewStopContainer(hostnames []string, image string, imagePullPolicy corev1.P command, strings.Join(parts, ";"), ), + SecurityContext: &securityContext, } } diff --git a/pkg/resources/jobs/initializer.go b/pkg/resources/jobs/initializer.go index 1b25449b..3e2e3ffb 100644 --- a/pkg/resources/jobs/initializer.go +++ b/pkg/resources/jobs/initializer.go @@ -125,6 +125,7 @@ func NewInitializerJob(k6 v1alpha1.TestRunI, argLine string) (*batchv1.Job, erro VolumeMounts: volumeMounts, EnvFrom: k6.GetSpec().Initializer.EnvFrom, Ports: ports, + SecurityContext: &k6.GetSpec().Initializer.ContainerSecurityContext, }, }, Volumes: volumes, diff --git a/pkg/resources/jobs/initializer_test.go b/pkg/resources/jobs/initializer_test.go index b1626ef8..5ba9b7a3 100644 --- a/pkg/resources/jobs/initializer_test.go +++ b/pkg/resources/jobs/initializer_test.go @@ -78,6 +78,7 @@ func TestNewInitializerJob(t *testing.T) { Resources: corev1.ResourceRequirements{}, VolumeMounts: script.VolumeMount(), Ports: []corev1.ContainerPort{{ContainerPort: 6565}}, + SecurityContext: &corev1.SecurityContext{}, }, }, Volumes: script.Volume(), diff --git a/pkg/resources/jobs/runner.go b/pkg/resources/jobs/runner.go index 9e56fb26..97108622 100644 --- a/pkg/resources/jobs/runner.go +++ b/pkg/resources/jobs/runner.go @@ -183,6 +183,7 @@ func NewRunnerJob(k6 v1alpha1.TestRunI, index int, token string) (*batchv1.Job, EnvFrom: k6.GetSpec().Runner.EnvFrom, LivenessProbe: generateProbe(k6.GetSpec().Runner.LivenessProbe), ReadinessProbe: generateProbe(k6.GetSpec().Runner.ReadinessProbe), + SecurityContext: &k6.GetSpec().Runner.ContainerSecurityContext, }}, TerminationGracePeriodSeconds: &zero, Volumes: volumes, diff --git a/pkg/resources/jobs/runner_test.go b/pkg/resources/jobs/runner_test.go index 9aa1e882..45ff01a6 100644 --- a/pkg/resources/jobs/runner_test.go +++ b/pkg/resources/jobs/runner_test.go @@ -356,6 +356,7 @@ func TestNewRunnerJob(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -479,6 +480,7 @@ func TestNewRunnerJobNoisy(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -593,6 +595,7 @@ func TestNewRunnerJobUnpaused(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -707,6 +710,7 @@ func TestNewRunnerJobArguments(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -822,6 +826,7 @@ func TestNewRunnerJobServiceAccount(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -951,6 +956,7 @@ func TestNewRunnerJobIstio(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1075,6 +1081,7 @@ func TestNewRunnerJobCloud(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1191,6 +1198,7 @@ func TestNewRunnerJobLocalFile(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1331,6 +1339,7 @@ func TestNewRunnerJobWithInitContainer(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: script.Volume(), @@ -1508,6 +1517,7 @@ func TestNewRunnerJobWithVolume(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }}, TerminationGracePeriodSeconds: &zero, Volumes: expectedVolumes, diff --git a/pkg/resources/jobs/starter.go b/pkg/resources/jobs/starter.go index ca8adffd..44ba5da9 100644 --- a/pkg/resources/jobs/starter.go +++ b/pkg/resources/jobs/starter.go @@ -67,7 +67,7 @@ func NewStarterJob(k6 v1alpha1.TestRunI, hostname []string) *batchv1.Job { SecurityContext: &k6.GetSpec().Starter.SecurityContext, ImagePullSecrets: k6.GetSpec().Starter.ImagePullSecrets, Containers: []corev1.Container{ - containers.NewStartContainer(hostname, starterImage, k6.GetSpec().Starter.ImagePullPolicy, command, env), + containers.NewStartContainer(hostname, starterImage, k6.GetSpec().Starter.ImagePullPolicy, command, env, k6.GetSpec().Starter.ContainerSecurityContext), }, }, }, diff --git a/pkg/resources/jobs/starter_test.go b/pkg/resources/jobs/starter_test.go index bb8281ae..b2d2347a 100644 --- a/pkg/resources/jobs/starter_test.go +++ b/pkg/resources/jobs/starter_test.go @@ -51,7 +51,7 @@ func TestNewStarterJob(t *testing.T) { SecurityContext: &corev1.PodSecurityContext{}, Containers: []corev1.Container{ containers.NewStartContainer([]string{"testing"}, "image", corev1.PullNever, []string{"sh", "-c"}, - []corev1.EnvVar{}), + []corev1.EnvVar{}, corev1.SecurityContext{}), }, }, }, @@ -143,7 +143,9 @@ func TestNewStarterJobIstio(t *testing.T) { { Name: "WAIT_FOR_ENVOY_TIMEOUT", Value: "15", - }}), + }}, + corev1.SecurityContext{}, + ), }, }, }, diff --git a/pkg/resources/jobs/stopper.go b/pkg/resources/jobs/stopper.go index 4476d7d7..2c19b3ee 100644 --- a/pkg/resources/jobs/stopper.go +++ b/pkg/resources/jobs/stopper.go @@ -25,7 +25,7 @@ func NewStopJob(k6 v1alpha1.TestRunI, hostname []string) *batchv1.Job { env := newIstioEnvVar(k6.GetSpec().Scuttle, istioEnabled) job.Spec.Template.Spec.Containers = []corev1.Container{ - containers.NewStopContainer(hostname, image, k6.GetSpec().Starter.ImagePullPolicy, command, env), + containers.NewStopContainer(hostname, image, k6.GetSpec().Starter.ImagePullPolicy, command, env, k6.GetSpec().Starter.ContainerSecurityContext), } return job diff --git a/pkg/resources/jobs/stopper_test.go b/pkg/resources/jobs/stopper_test.go index 6c4166e1..9f0829d8 100644 --- a/pkg/resources/jobs/stopper_test.go +++ b/pkg/resources/jobs/stopper_test.go @@ -50,7 +50,7 @@ func TestNewStopperJob(t *testing.T) { SecurityContext: &corev1.PodSecurityContext{}, Containers: []corev1.Container{ containers.NewStopContainer([]string{"testing"}, "image", corev1.PullNever, []string{"sh", "-c"}, - []corev1.EnvVar{}), + []corev1.EnvVar{}, corev1.SecurityContext{}), }, }, }, @@ -141,7 +141,9 @@ func TestNewStopJobIstio(t *testing.T) { { Name: "WAIT_FOR_ENVOY_TIMEOUT", Value: "15", - }}), + }}, + corev1.SecurityContext{}, + ), }, }, }, From 2b368fe9ac62c265b629e933e659aa294693e912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20=C5=81aszkiewicz?= Date: Sat, 23 Dec 2023 14:36:38 +0100 Subject: [PATCH 2/5] fix: init container security context --- pkg/resources/jobs/helpers.go | 1 + pkg/resources/jobs/runner_test.go | 2 ++ 2 files changed, 3 insertions(+) diff --git a/pkg/resources/jobs/helpers.go b/pkg/resources/jobs/helpers.go index df8fd014..ec25e815 100644 --- a/pkg/resources/jobs/helpers.go +++ b/pkg/resources/jobs/helpers.go @@ -139,6 +139,7 @@ func getInitContainers(k6Spec *v1alpha1.TestRunSpec, script *types.Script) []cor Env: k6InitContainer.Env, VolumeMounts: volumeMounts, ImagePullPolicy: k6Spec.Runner.ImagePullPolicy, + SecurityContext: &k6Spec.Runner.ContainerSecurityContext, } initContainers = append(initContainers, initContainer) } diff --git a/pkg/resources/jobs/runner_test.go b/pkg/resources/jobs/runner_test.go index 45ff01a6..0765db49 100644 --- a/pkg/resources/jobs/runner_test.go +++ b/pkg/resources/jobs/runner_test.go @@ -1301,6 +1301,7 @@ func TestNewRunnerJobWithInitContainer(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }, }, Containers: []corev1.Container{{ @@ -1479,6 +1480,7 @@ func TestNewRunnerJobWithVolume(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{}, }, }, Containers: []corev1.Container{{ From 84b75b33767311a79044dc45df769bcbdd472fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20=C5=81aszkiewicz?= Date: Tue, 9 Jan 2024 11:06:11 +0100 Subject: [PATCH 3/5] chore: formatting --- pkg/resources/jobs/initializer_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/resources/jobs/initializer_test.go b/pkg/resources/jobs/initializer_test.go index 5ba9b7a3..868d13ef 100644 --- a/pkg/resources/jobs/initializer_test.go +++ b/pkg/resources/jobs/initializer_test.go @@ -75,9 +75,9 @@ func TestNewInitializerJob(t *testing.T) { }, }, }, - Resources: corev1.ResourceRequirements{}, - VolumeMounts: script.VolumeMount(), - Ports: []corev1.ContainerPort{{ContainerPort: 6565}}, + Resources: corev1.ResourceRequirements{}, + VolumeMounts: script.VolumeMount(), + Ports: []corev1.ContainerPort{{ContainerPort: 6565}}, SecurityContext: &corev1.SecurityContext{}, }, }, From 0f8817ff0ad5554f496689a52d4fbb25a6e3e556 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20=C5=81aszkiewicz?= Date: Thu, 11 Jan 2024 09:37:17 +0100 Subject: [PATCH 4/5] chore: documenting, samples, code review --- charts/k6-operator/README.md | 4 +- .../k6_v1alpha1_k6_with_securitycontext.yaml | 53 +++++++++++++++++++ 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 config/samples/k6_v1alpha1_k6_with_securitycontext.yaml diff --git a/charts/k6-operator/README.md b/charts/k6-operator/README.md index a9f2cca8..dff7f1f7 100644 --- a/charts/k6-operator/README.md +++ b/charts/k6-operator/README.md @@ -1,6 +1,6 @@ # k6-operator -![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![AppVersion: 0.0.11](https://img.shields.io/badge/AppVersion-0.0.11-informational?style=flat-square) +![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![AppVersion: 0.0.12](https://img.shields.io/badge/AppVersion-0.0.12-informational?style=flat-square) A Helm chart to install the k6-operator @@ -38,7 +38,7 @@ Kubernetes: `>=1.16.0-0` | manager.env | object | `{}` | Environment variables to be applied on the controller | | manager.image.name | string | `"ghcr.io/grafana/k6-operator"` | controller-manager image name | | manager.image.pullPolicy | string | `"Always"` | pull policy for the image possible values Always, Never, IfNotPresent (default: Always) | -| manager.image.tag | string | `"controller-v0.0.11"` | controller-manager image tag | +| manager.image.tag | string | `"controller-v0.0.12"` | controller-manager image tag | | manager.livenessProbe | object | `{}` | Liveness probe in Probe format | | manager.readinessProbe | object | `{}` | Readiness probe in Probe format | | manager.replicas | int | `1` | number of controller-manager replicas (default: 1) | diff --git a/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml b/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml new file mode 100644 index 00000000..e8b230ba --- /dev/null +++ b/config/samples/k6_v1alpha1_k6_with_securitycontext.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: k6.io/v1alpha1 +kind: TestRun +metadata: + name: k6-sample +spec: + parallelism: 4 + script: + configMap: + name: k6-test + file: test.js + initializer: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 + starter: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 + runner: + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + fsGroup: 1 + runAsNonRoot: true + runAsUser: 12345 + seccompProfile: + type: RuntimeDefault + supplementalGroups: + - 12345 From 1832d3e4917377414b8d66361fffd4af7cb8fc2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20=C5=81aszkiewicz?= Date: Thu, 11 Jan 2024 14:57:23 +0100 Subject: [PATCH 5/5] chore: version bump --- charts/k6-operator/Chart.yaml | 2 +- charts/k6-operator/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/k6-operator/Chart.yaml b/charts/k6-operator/Chart.yaml index 642eeda5..1b747570 100644 --- a/charts/k6-operator/Chart.yaml +++ b/charts/k6-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "0.0.12" description: A Helm chart to install the k6-operator name: k6-operator -version: 3.3.0 +version: 3.4.0 kubeVersion: ">=1.16.0-0" home: https://k6.io sources: diff --git a/charts/k6-operator/README.md b/charts/k6-operator/README.md index dff7f1f7..7020df77 100644 --- a/charts/k6-operator/README.md +++ b/charts/k6-operator/README.md @@ -1,6 +1,6 @@ # k6-operator -![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![AppVersion: 0.0.12](https://img.shields.io/badge/AppVersion-0.0.12-informational?style=flat-square) +![Version: 3.4.0](https://img.shields.io/badge/Version-3.4.0-informational?style=flat-square) ![AppVersion: 0.0.12](https://img.shields.io/badge/AppVersion-0.0.12-informational?style=flat-square) A Helm chart to install the k6-operator