Skip to content

Commit

Permalink
add the pod security context (#470)
Browse files Browse the repository at this point in the history
Signed-off-by: Shubham Chaudhary <[email protected]>
  • Loading branch information
ispeakc0de authored Jun 19, 2023
1 parent dc8f359 commit d2a310a
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 39 deletions.
13 changes: 13 additions & 0 deletions controllers/chaosengine_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,11 @@ func getChaosRunnerLabels(cr *litmuschaosv1alpha1.ChaosEngine) map[string]string

// newGoRunnerPodForCR defines a new go-based Runner Pod
func (r *ChaosEngineReconciler) newGoRunnerPodForCR(engine *chaosTypes.EngineInfo) (*corev1.Pod, error) {
var experiment litmuschaosv1alpha1.ChaosExperiment
if err := r.Client.Get(context.TODO(), types.NamespacedName{Name: engine.Instance.Spec.Experiments[0].Name, Namespace: engine.Instance.Namespace}, &experiment); err != nil {
return nil, err
}

engine.VolumeOpts.VolumeOperations(engine.Instance.Spec.Components.Runner.ConfigMaps, engine.Instance.Spec.Components.Runner.Secrets)

containerForRunner := container.NewBuilder().
Expand Down Expand Up @@ -196,6 +201,10 @@ func (r *ChaosEngineReconciler) newGoRunnerPodForCR(engine *chaosTypes.EngineInf
containerForRunner.WithResourceRequirements(engine.Instance.Spec.Components.Runner.Resources)
}

if !reflect.DeepEqual(experiment.Spec.Definition.SecurityContext.ContainerSecurityContext, corev1.SecurityContext{}) {
containerForRunner.WithSecurityContext(experiment.Spec.Definition.SecurityContext.ContainerSecurityContext)
}

podForRunner := pod.NewBuilder().
WithName(engine.Instance.Name + "-runner").
WithNamespace(engine.Instance.Namespace).
Expand All @@ -221,6 +230,10 @@ func (r *ChaosEngineReconciler) newGoRunnerPodForCR(engine *chaosTypes.EngineInf
podForRunner.WithImagePullSecrets(engine.Instance.Spec.Components.Runner.ImagePullSecrets)
}

if !reflect.DeepEqual(experiment.Spec.Definition.SecurityContext.PodSecurityContext, corev1.PodSecurityContext{}) {
podForRunner.WithSecurityContext(experiment.Spec.Definition.SecurityContext.PodSecurityContext)
}

runnerPod, err := podForRunner.Build()
if err != nil {
return nil, err
Expand Down
110 changes: 109 additions & 1 deletion controllers/chaosengine_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand All @@ -355,6 +360,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand Down Expand Up @@ -382,6 +392,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand Down Expand Up @@ -409,6 +424,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand All @@ -421,6 +441,13 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
engine: chaosTypes.EngineInfo{
Instance: &v1alpha1.ChaosEngine{
ObjectMeta: metav1.ObjectMeta{},
Spec: v1alpha1.ChaosEngineSpec{
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},
AppExperiments: []string{"exp-1"},
},
Expand All @@ -435,6 +462,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
Spec: v1alpha1.ChaosEngineSpec{
ChaosServiceAccount: "fake-serviceAccount",
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand All @@ -451,6 +483,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
},
Spec: v1alpha1.ChaosEngineSpec{
ChaosServiceAccount: "fake-serviceAccount",
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand All @@ -472,6 +509,11 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
Image: "",
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "pod-delete",
},
},
},
},

Expand All @@ -483,6 +525,15 @@ func TestNewGoRunnerPodForCR(t *testing.T) {
for name, mock := range tests {
t.Run(name, func(t *testing.T) {
r := CreateFakeClient(t)
exp := v1alpha1.ChaosExperiment{
ObjectMeta: metav1.ObjectMeta{
Name: "pod-delete",
Namespace: "test",
},
}
if err := r.Client.Create(context.TODO(), &exp); err != nil {
t.Fatalf("Test %q failed: expected error not to be nil", name)
}
_, err := r.newGoRunnerPodForCR(&mock.engine)
if mock.isErr && err == nil {
t.Fatalf("Test %q failed: expected error not to be nil", name)
Expand Down Expand Up @@ -959,6 +1010,11 @@ func TestCheckEngineRunnerPod(t *testing.T) {
Image: "fake-runner-image",
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

Expand All @@ -980,6 +1036,11 @@ func TestCheckEngineRunnerPod(t *testing.T) {
Image: "fake-runner-image",
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

Expand All @@ -1002,6 +1063,11 @@ func TestCheckEngineRunnerPod(t *testing.T) {
Image: "fake-runner-image",
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

Expand All @@ -1024,6 +1090,11 @@ func TestCheckEngineRunnerPod(t *testing.T) {
Image: "fake-runner-image",
},
},
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

Expand All @@ -1036,6 +1107,13 @@ func TestCheckEngineRunnerPod(t *testing.T) {
engine: chaosTypes.EngineInfo{
Instance: &v1alpha1.ChaosEngine{
ObjectMeta: metav1.ObjectMeta{},
Spec: v1alpha1.ChaosEngineSpec{
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

AppExperiments: []string{"exp-1"},
Expand All @@ -1051,6 +1129,11 @@ func TestCheckEngineRunnerPod(t *testing.T) {
},
Spec: v1alpha1.ChaosEngineSpec{
ChaosServiceAccount: "fake-serviceAccount",
Experiments: []v1alpha1.ExperimentList{
{
Name: "exp-1",
},
},
},
},

Expand Down Expand Up @@ -1099,6 +1182,15 @@ func TestCheckEngineRunnerPod(t *testing.T) {
for name, mock := range tests {
t.Run(name, func(t *testing.T) {
r := CreateFakeClient(t)
exp := v1alpha1.ChaosExperiment{
ObjectMeta: metav1.ObjectMeta{
Name: "exp-1",
Namespace: "test",
},
}
if err := r.Client.Create(context.TODO(), &exp); err != nil {
t.Fatalf("Test %q failed: expected error not to be nil", name)
}
reqLogger := chaosTypes.Log.WithValues()
err := r.checkEngineRunnerPod(&mock.engine, reqLogger)
if mock.isErr && err == nil {
Expand Down Expand Up @@ -1506,6 +1598,15 @@ func TestReconcileForCreationAndRunning(t *testing.T) {
for name, mock := range tests {
t.Run(name, func(t *testing.T) {
r := CreateFakeClient(t)
exp := v1alpha1.ChaosExperiment{
ObjectMeta: metav1.ObjectMeta{
Name: "exp-1",
Namespace: "test",
},
}
if err := r.Client.Create(context.TODO(), &exp); err != nil {
t.Fatalf("Test %q failed: expected error not to be nil", name)
}
reqLogger := chaosTypes.Log.WithValues()
_, err := r.reconcileForCreationAndRunning(&mock.engine, reqLogger)
if mock.isErr && err == nil {
Expand Down Expand Up @@ -1534,11 +1635,18 @@ func CreateFakeClient(t *testing.T) *ChaosEngineReconciler {
},
}

exp := &v1alpha1.ChaosExperiment{
ObjectMeta: metav1.ObjectMeta{
Labels: make(map[string]string),
Name: "dummyexp",
},
}

chaosResultList := &v1alpha1.ChaosResultList{
Items: []v1alpha1.ChaosResult{},
}

s.AddKnownTypes(v1alpha1.SchemeGroupVersion, engineR, chaosResultList)
s.AddKnownTypes(v1alpha1.SchemeGroupVersion, engineR, chaosResultList, exp)

recorder := record.NewFakeRecorder(1024)

Expand Down
18 changes: 10 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@ go 1.19

require (
cloud.google.com/go v0.81.0 // indirect
github.com/go-logr/logr v0.4.0
github.com/go-logr/logr v1.2.3
github.com/google/go-cmp v0.5.6 // indirect
github.com/jpillora/go-ogle-analytics v0.0.0-20161213085824-14b04e0594ef
github.com/litmuschaos/elves v0.0.0-20201107015738-552d74669e3c
github.com/litmuschaos/elves v0.0.0-20230607095010-c7119636b529
github.com/pkg/errors v0.9.1
github.com/spf13/pflag v1.0.5 // indirect
golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b // indirect
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
k8s.io/api v0.22.1
k8s.io/apimachinery v0.22.1
k8s.io/api v0.26.0
k8s.io/apimachinery v0.26.0
k8s.io/client-go v12.0.0+incompatible
sigs.k8s.io/controller-runtime v0.10.0
)
Expand Down Expand Up @@ -64,7 +64,7 @@ require (
go.uber.org/multierr v1.6.0 // indirect
go.uber.org/zap v1.19.0 // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.5.0 // indirect
golang.org/x/text v0.7.0 // indirect
Expand All @@ -78,15 +78,16 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.22.1 // indirect
k8s.io/component-base v0.22.2 // indirect
k8s.io/klog/v2 v2.9.0 // indirect
k8s.io/klog/v2 v2.80.1 // indirect
k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.2.0 // indirect
)

// Pinned to kubernetes-1.21.2
replace (
github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
k8s.io/api => k8s.io/api v0.21.2
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.21.2
k8s.io/apimachinery => k8s.io/apimachinery v0.21.2
Expand All @@ -99,6 +100,7 @@ replace (
k8s.io/component-base => k8s.io/component-base v0.21.2
k8s.io/cri-api => k8s.io/cri-api v0.21.2
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.21.2
k8s.io/klog/v2 => k8s.io/klog/v2 v2.9.0
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.21.2
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.21.2
k8s.io/kube-proxy => k8s.io/kube-proxy v0.21.2
Expand Down
17 changes: 6 additions & 11 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -300,8 +300,6 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
Expand Down Expand Up @@ -619,8 +617,8 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9
github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
github.com/lightstep/lightstep-tracer-go v0.18.0/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
github.com/litmuschaos/elves v0.0.0-20201107015738-552d74669e3c h1:+hlppERdpCxMRW0QC+ckbz/mS6wH+fNVMlDMFGClk7U=
github.com/litmuschaos/elves v0.0.0-20201107015738-552d74669e3c/go.mod h1:DsbHGNUq/78NZozWVVI9Q6eBei4I+JjlkkD5aibJ3MQ=
github.com/litmuschaos/elves v0.0.0-20230607095010-c7119636b529 h1:Id7WZy5wXg7RYHbunkzkXFRolrfAerZzZkpjZ6MEZ/4=
github.com/litmuschaos/elves v0.0.0-20230607095010-c7119636b529/go.mod h1:N4ljNnCRBeKgKw1zThi6wbQGQ2b6tlXb4eCVQRLJIvE=
github.com/lovoo/gcloud-opentracing v0.3.0/go.mod h1:ZFqk2y38kMDDikZPAK7ynTTGuyt17nSPdS3K5e+ZTBY=
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
Expand Down Expand Up @@ -1473,9 +1471,6 @@ k8s.io/klog v0.3.3/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
k8s.io/kube-openapi v0.0.0-20190320154901-5e45bb682580/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
Expand All @@ -1493,8 +1488,8 @@ k8s.io/utils v0.0.0-20191114200735-6ca3b61696b6/go.mod h1:sZAwmy6armz5eXlNoLmJcl
k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g=
k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs=
k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/letsencrypt v0.0.3/go.mod h1:buyQKZ6IXrRnB7TdkHP0RyEybLx18HHyOSoTyoOLqNY=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
Expand All @@ -1513,8 +1508,8 @@ sigs.k8s.io/kustomize/kyaml v0.10.17/go.mod h1:mlQFagmkm1P+W4lZJbJ/yaxMd8PqMRSC4
sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
Loading

0 comments on commit d2a310a

Please sign in to comment.