io.fabric8.kubernetes.api.model.PodSecurityContextBuilder Java Examples
The following examples show how to use
io.fabric8.kubernetes.api.model.PodSecurityContextBuilder.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: KafkaBridgeClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
KafkaBridge resource = new KafkaBridgeBuilder(this.resource)
.editSpec()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endSpec()
.build();
KafkaBridgeCluster kbc = KafkaBridgeCluster.fromCrd(resource, VERSIONS);
Deployment dep = kbc.generateDeployment(emptyMap(), true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #2
| Source File: EntityOperatorTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
Kafka resource = new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas, image, healthDelay, healthTimeout))
.editSpec()
.withNewEntityOperator()
.withTopicOperator(entityTopicOperatorSpec)
.withUserOperator(entityUserOperatorSpec)
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endEntityOperator()
.endSpec()
.build();
EntityOperator eo = EntityOperator.fromCrd(resource, VERSIONS);
Deployment dep = eo.generateDeployment(true, Collections.EMPTY_MAP, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #3
| Source File: KafkaMirrorMakerClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
KafkaMirrorMaker resource = new KafkaMirrorMakerBuilder(this.resource)
.editSpec()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endSpec()
.build();
KafkaMirrorMakerCluster mmc = KafkaMirrorMakerCluster.fromCrd(resource, VERSIONS);
Deployment dep = mmc.generateDeployment(emptyMap(), true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #4
| Source File: KafkaConnectClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
KafkaConnect resource = new KafkaConnectBuilder(this.resource)
.editSpec()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endSpec()
.build();
KafkaConnectCluster kc = KafkaConnectCluster.fromCrd(resource, VERSIONS);
Deployment dep = kc.generateDeployment(emptyMap(), true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #5
| Source File: ZookeeperClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCmJson, configurationJson, emptyMap()))
.editSpec()
.editZookeeper()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endZookeeper()
.endSpec()
.build();
ZookeeperCluster zc = ZookeeperCluster.fromCrd(kafkaAssembly, VERSIONS);
StatefulSet sts = zc.generateStatefulSet(true, null, null);
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #6
| Source File: KafkaMirrorMaker2ClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
KafkaMirrorMaker2 resource = new KafkaMirrorMaker2Builder(this.resource)
.editSpec()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endSpec()
.build();
KafkaMirrorMaker2Cluster kmm2 = KafkaMirrorMaker2Cluster.fromCrd(resource, VERSIONS);
Deployment dep = kmm2.generateDeployment(emptyMap(), true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #7
| Source File: KafkaConnectS2IClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
KafkaConnectS2I resource = new KafkaConnectS2IBuilder(this.resource)
.editSpec()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endSpec()
.build();
KafkaConnectS2ICluster kc = KafkaConnectS2ICluster.fromCrd(resource, VERSIONS);
DeploymentConfig dep = kc.generateDeploymentConfig(Collections.EMPTY_MAP, true, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #8
| Source File: KafkaClusterTest.java From strimzi-kafka-operator with Apache License 2.0 | 6 votes |
|
@Test
public void testSecurityContext() {
Kafka kafkaAssembly = new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas,
image, healthDelay, healthTimeout, metricsCm, configuration, emptyMap()))
.editSpec()
.editKafka()
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.endKafka()
.endSpec()
.build();
KafkaCluster kc = KafkaCluster.fromCrd(kafkaAssembly, VERSIONS);
StatefulSet sts = kc.generateStatefulSet(true, null, null);
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(sts.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #9
| Source File: PodMergerTest.java From che with Eclipse Public License 2.0 | 6 votes |
|
@Test
public void shouldAssignSecurityContextSharedByPods() throws Exception {
// given
PodSpec podSpec1 =
new PodSpecBuilder()
.withSecurityContext(new PodSecurityContextBuilder().withRunAsUser(42L).build())
.build();
podSpec1.setAdditionalProperty("add1", 1L);
PodData podData1 = new PodData(podSpec1, new ObjectMetaBuilder().build());
PodSpec podSpec2 =
new PodSpecBuilder()
.withSecurityContext(new PodSecurityContextBuilder().withRunAsUser(42L).build())
.build();
podSpec2.setAdditionalProperty("add2", 2L);
PodData podData2 = new PodData(podSpec2, new ObjectMetaBuilder().build());
// when
Deployment merged = podMerger.merge(Arrays.asList(podData1, podData2));
// then
PodTemplateSpec podTemplate = merged.getSpec().getTemplate();
PodSecurityContext sc = podTemplate.getSpec().getSecurityContext();
assertEquals(sc.getRunAsUser(), (Long) 42L);
}
Example #10
| Source File: PodMergerTest.java From che with Eclipse Public License 2.0 | 6 votes |
|
@Test(expectedExceptions = ValidationException.class)
public void shouldFailIfSecurityContextDiffersInPods() throws Exception {
// given
PodSpec podSpec1 =
new PodSpecBuilder()
.withSecurityContext(new PodSecurityContextBuilder().withRunAsUser(42L).build())
.build();
podSpec1.setAdditionalProperty("add1", 1L);
PodData podData1 = new PodData(podSpec1, new ObjectMetaBuilder().build());
PodSpec podSpec2 =
new PodSpecBuilder()
.withSecurityContext(new PodSecurityContextBuilder().withRunAsUser(43L).build())
.build();
podSpec2.setAdditionalProperty("add2", 2L);
PodData podData2 = new PodData(podSpec2, new ObjectMetaBuilder().build());
// when
Deployment merged = podMerger.merge(Arrays.asList(podData1, podData2));
// then
// exception is thrown
}
Example #11
| Source File: DeploymentPropertiesResolver.java From spring-cloud-deployer-kubernetes with Apache License 2.0 | 5 votes |
|
PodSecurityContext getPodSecurityContext(Map<String, String> kubernetesDeployerProperties) {
PodSecurityContext podSecurityContext = null;
KubernetesDeployerProperties deployerProperties = bindProperties(kubernetesDeployerProperties,
this.propertyPrefix + ".podSecurityContext", "podSecurityContext");
if (deployerProperties.getPodSecurityContext() != null) {
podSecurityContext = new PodSecurityContextBuilder()
.withRunAsUser(deployerProperties.getPodSecurityContext().getRunAsUser())
.withFsGroup(deployerProperties.getPodSecurityContext().getFsGroup())
.build();
}
else {
String runAsUser = PropertyParserUtils.getDeploymentPropertyValue(kubernetesDeployerProperties,
this.propertyPrefix + ".podSecurityContext.runAsUser");
String fsGroup = PropertyParserUtils.getDeploymentPropertyValue(kubernetesDeployerProperties,
this.propertyPrefix + ".podSecurityContext.fsGroup");
if (!StringUtils.isEmpty(runAsUser) && !StringUtils.isEmpty(fsGroup)) {
podSecurityContext = new PodSecurityContextBuilder()
.withRunAsUser(Long.valueOf(runAsUser))
.withFsGroup(Long.valueOf(fsGroup))
.build();
}
else if (this.properties.getPodSecurityContext() != null) {
podSecurityContext = new PodSecurityContextBuilder()
.withRunAsUser(this.properties.getPodSecurityContext().getRunAsUser())
.withFsGroup(this.properties.getPodSecurityContext().getFsGroup())
.build();
}
}
return podSecurityContext;
}
Example #12
| Source File: CruiseControlTest.java From strimzi-kafka-operator with Apache License 2.0 | 5 votes |
|
@Test
public void testSecurityContext() {
CruiseControlSpec cruiseControlSpec = new CruiseControlSpecBuilder()
.withImage(ccImage)
.withConfig((Map) configuration.asOrderedProperties().asMap())
.withNewTemplate()
.withNewPod()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.endPod()
.endTemplate()
.build();
Kafka resource =
new KafkaBuilder(ResourceUtils.createKafkaCluster(namespace, cluster, replicas, image, healthDelay, healthTimeout))
.editSpec()
.editKafka()
.withVersion(version)
.endKafka()
.withCruiseControl(cruiseControlSpec)
.endSpec()
.build();
CruiseControl cc = CruiseControl.fromCrd(resource, VERSIONS);
Deployment dep = cc.generateDeployment(true, null, null, null);
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext(), is(notNullValue()));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getFsGroup(), is(Long.valueOf(123)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsGroup(), is(Long.valueOf(456)));
assertThat(dep.getSpec().getTemplate().getSpec().getSecurityContext().getRunAsUser(), is(Long.valueOf(789)));
}
Example #13
| Source File: AbstractModel.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
protected StatefulSet createStatefulSet(
Map<String, String> stsAnnotations,
Map<String, String> podAnnotations,
List<Volume> volumes,
List<PersistentVolumeClaim> volumeClaims,
Affinity affinity,
List<Container> initContainers,
List<Container> containers,
List<LocalObjectReference> imagePullSecrets,
boolean isOpenShift) {
PodSecurityContext securityContext = templateSecurityContext;
// if a persistent volume claim is requested and the running cluster is a Kubernetes one (non-openshift) and we
// have no user configured PodSecurityContext we set the podSecurityContext.
// This is to give each pod write permissions under a specific group so that if a pod changes users it does not have permission issues.
if (ModelUtils.containsPersistentStorage(storage) && !isOpenShift && securityContext == null) {
securityContext = new PodSecurityContextBuilder()
.withFsGroup(AbstractModel.DEFAULT_FS_GROUPID)
.build();
}
StatefulSet statefulSet = new StatefulSetBuilder()
.withNewMetadata()
.withName(name)
.withLabels(getLabelsWithStrimziName(name, templateStatefulSetLabels).toMap())
.withNamespace(namespace)
.withAnnotations(mergeLabelsOrAnnotations(stsAnnotations, templateStatefulSetAnnotations))
.withOwnerReferences(createOwnerReference())
.endMetadata()
.withNewSpec()
.withPodManagementPolicy(templatePodManagementPolicy.toValue())
.withUpdateStrategy(new StatefulSetUpdateStrategyBuilder().withType("OnDelete").build())
.withSelector(new LabelSelectorBuilder().withMatchLabels(getSelectorLabels().toMap()).build())
.withServiceName(headlessServiceName)
.withReplicas(replicas)
.withNewTemplate()
.withNewMetadata()
.withName(name)
.withLabels(getLabelsWithStrimziName(name, templatePodLabels).toMap())
.withAnnotations(mergeLabelsOrAnnotations(podAnnotations, templatePodAnnotations))
.endMetadata()
.withNewSpec()
.withServiceAccountName(getServiceAccountName())
.withAffinity(affinity)
.withInitContainers(initContainers)
.withContainers(containers)
.withVolumes(volumes)
.withTolerations(getTolerations())
.withTerminationGracePeriodSeconds(Long.valueOf(templateTerminationGracePeriodSeconds))
.withImagePullSecrets(templateImagePullSecrets != null ? templateImagePullSecrets : imagePullSecrets)
.withSecurityContext(securityContext)
.withPriorityClassName(templatePodPriorityClassName)
.withSchedulerName(templatePodSchedulerName != null ? templatePodSchedulerName : "default-scheduler")
.endSpec()
.endTemplate()
.withVolumeClaimTemplates(volumeClaims)
.endSpec()
.build();
return statefulSet;
}
Example #14
| Source File: ModelUtilsTest.java From strimzi-kafka-operator with Apache License 2.0 | 4 votes |
|
@Test
public void testParsePodTemplate() {
Kafka kafka = new KafkaBuilder()
.withNewMetadata()
.withName("my-cluster")
.withNamespace("my-namespace")
.endMetadata()
.build();
LocalObjectReference secret1 = new LocalObjectReference("some-pull-secret");
LocalObjectReference secret2 = new LocalObjectReference("some-other-pull-secret");
Affinity affinity = new AffinityBuilder()
.withNewNodeAffinity()
.withNewRequiredDuringSchedulingIgnoredDuringExecution()
.withNodeSelectorTerms(new NodeSelectorTermBuilder()
.addNewMatchExpression()
.withNewKey("key1")
.withNewOperator("In")
.withValues("value1", "value2")
.endMatchExpression()
.build())
.endRequiredDuringSchedulingIgnoredDuringExecution()
.endNodeAffinity()
.build();
List<Toleration> tolerations = singletonList(new TolerationBuilder()
.withEffect("NoExecute")
.withKey("key1")
.withOperator("Equal")
.withValue("value1")
.build());
PodTemplate template = new PodTemplateBuilder()
.withNewMetadata()
.withAnnotations(Collections.singletonMap("annoKey", "annoValue"))
.withLabels(Collections.singletonMap("labelKey", "labelValue"))
.endMetadata()
.withSecurityContext(new PodSecurityContextBuilder().withFsGroup(123L).withRunAsGroup(456L).withRunAsUser(789L).build())
.withImagePullSecrets(secret1, secret2)
.withTerminationGracePeriodSeconds(123)
.withAffinity(affinity)
.withTolerations(tolerations)
.build();
Model model = new Model(kafka);
ModelUtils.parsePodTemplate(model, template);
assertThat(model.templatePodLabels, is(Collections.singletonMap("labelKey", "labelValue")));
assertThat(model.templatePodAnnotations, is(Collections.singletonMap("annoKey", "annoValue")));
assertThat(model.templateTerminationGracePeriodSeconds, is(123));
assertThat(model.templateImagePullSecrets.size(), is(2));
assertThat(model.templateImagePullSecrets.contains(secret1), is(true));
assertThat(model.templateImagePullSecrets.contains(secret2), is(true));
assertThat(model.templateSecurityContext, is(notNullValue()));
assertThat(model.templateSecurityContext.getFsGroup(), is(Long.valueOf(123)));
assertThat(model.templateSecurityContext.getRunAsGroup(), is(Long.valueOf(456)));
assertThat(model.templateSecurityContext.getRunAsUser(), is(Long.valueOf(789)));
assertThat(model.getUserAffinity(), is(affinity));
assertThat(model.getTolerations(), is(tolerations));
}
Example #15
| Source File: SecurityContextProvisioner.java From che with Eclipse Public License 2.0 | 4 votes |
|
public void provision(PodSpec podSpec) {
podSpec.setSecurityContext(
new PodSecurityContextBuilder().withRunAsUser(runAsUser).withFsGroup(fsGroup).build());
}
