Skip to content

Commit 7ae65b2

Browse files
jiukerjiuker
authored
feat: add securityContext/containerSecurityContext to minioJob (#2122)
feat: add securityContext to minioJob add securityContext to minioJob
1 parent c6d57c4 commit 7ae65b2

File tree

7 files changed

+303
-9
lines changed

7 files changed

+303
-9
lines changed

helm/operator/templates/job.min.io_jobs.yaml

Lines changed: 126 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
33
kind: CustomResourceDefinition
44
metadata:
55
annotations:
6-
controller-gen.kubebuilder.io/version: v0.14.0
6+
controller-gen.kubebuilder.io/version: v0.15.0
77
operator.min.io/version: v5.0.15
88
name: miniojobs.job.min.io
99
spec:
@@ -55,6 +55,67 @@ spec:
5555
- op
5656
type: object
5757
type: array
58+
containerSecurityContext:
59+
properties:
60+
allowPrivilegeEscalation:
61+
type: boolean
62+
capabilities:
63+
properties:
64+
add:
65+
items:
66+
type: string
67+
type: array
68+
drop:
69+
items:
70+
type: string
71+
type: array
72+
type: object
73+
privileged:
74+
type: boolean
75+
procMount:
76+
type: string
77+
readOnlyRootFilesystem:
78+
type: boolean
79+
runAsGroup:
80+
format: int64
81+
type: integer
82+
runAsNonRoot:
83+
type: boolean
84+
runAsUser:
85+
format: int64
86+
type: integer
87+
seLinuxOptions:
88+
properties:
89+
level:
90+
type: string
91+
role:
92+
type: string
93+
type:
94+
type: string
95+
user:
96+
type: string
97+
type: object
98+
seccompProfile:
99+
properties:
100+
localhostProfile:
101+
type: string
102+
type:
103+
type: string
104+
required:
105+
- type
106+
type: object
107+
windowsOptions:
108+
properties:
109+
gmsaCredentialSpec:
110+
type: string
111+
gmsaCredentialSpecName:
112+
type: string
113+
hostProcess:
114+
type: boolean
115+
runAsUserName:
116+
type: string
117+
type: object
118+
type: object
58119
execution:
59120
default: parallel
60121
enum:
@@ -70,6 +131,70 @@ spec:
70131
mcImage:
71132
default: minio/mc:latest
72133
type: string
134+
securityContext:
135+
properties:
136+
fsGroup:
137+
format: int64
138+
type: integer
139+
fsGroupChangePolicy:
140+
type: string
141+
runAsGroup:
142+
format: int64
143+
type: integer
144+
runAsNonRoot:
145+
type: boolean
146+
runAsUser:
147+
format: int64
148+
type: integer
149+
seLinuxOptions:
150+
properties:
151+
level:
152+
type: string
153+
role:
154+
type: string
155+
type:
156+
type: string
157+
user:
158+
type: string
159+
type: object
160+
seccompProfile:
161+
properties:
162+
localhostProfile:
163+
type: string
164+
type:
165+
type: string
166+
required:
167+
- type
168+
type: object
169+
supplementalGroups:
170+
items:
171+
format: int64
172+
type: integer
173+
type: array
174+
sysctls:
175+
items:
176+
properties:
177+
name:
178+
type: string
179+
value:
180+
type: string
181+
required:
182+
- name
183+
- value
184+
type: object
185+
type: array
186+
windowsOptions:
187+
properties:
188+
gmsaCredentialSpec:
189+
type: string
190+
gmsaCredentialSpecName:
191+
type: string
192+
hostProcess:
193+
type: boolean
194+
runAsUserName:
195+
type: string
196+
type: object
197+
type: object
73198
serviceAccountName:
74199
type: string
75200
tenant:

helm/operator/templates/minio.min.io_tenants.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
33
kind: CustomResourceDefinition
44
metadata:
55
annotations:
6-
controller-gen.kubebuilder.io/version: v0.14.0
6+
controller-gen.kubebuilder.io/version: v0.15.0
77
operator.min.io/version: v5.0.15
88
name: tenants.minio.min.io
99
spec:

pkg/apis/job.min.io/v1alpha1/types.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package v1alpha1
22

33
import (
4+
corev1 "k8s.io/api/core/v1"
45
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
56
)
67

@@ -97,6 +98,33 @@ type MinIOJobSpec struct {
9798
// +optional
9899
// +kubebuilder:default="minio/mc:latest"
99100
MCImage string `json:"mcImage,omitempty"`
101+
102+
// *Optional* +
103+
//
104+
// Specify the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] of pods in the pool. The Operator supports only the following pod security fields: +
105+
//
106+
// * `fsGroup` +
107+
//
108+
// * `fsGroupChangePolicy` +
109+
//
110+
// * `runAsGroup` +
111+
//
112+
// * `runAsNonRoot` +
113+
//
114+
// * `runAsUser` +
115+
//
116+
// +optional
117+
SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
118+
// Specify the https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] of containers in the pool. The Operator supports only the following container security fields: +
119+
//
120+
// * `runAsGroup` +
121+
//
122+
// * `runAsNonRoot` +
123+
//
124+
// * `runAsUser` +
125+
//
126+
// +optional
127+
ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
100128
}
101129

102130
// CommandSpec (`spec`) defines the configuration of a MinioClient Command.

pkg/controller/job-controller.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -219,10 +219,6 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
219219
globalIntervalJobStatus.Delete(fmt.Sprintf("%s/%s", jobCR.Namespace, jobCR.Name))
220220
return WrapResult(Result{}, nil)
221221
}
222-
intervalJob, err := checkMinIOJob(&jobCR)
223-
if err != nil {
224-
return WrapResult(Result{}, err)
225-
}
226222
// get tenant
227223
tenant := &miniov2.Tenant{
228224
ObjectMeta: metav1.ObjectMeta{
@@ -258,6 +254,10 @@ func (c *JobController) SyncHandler(key string) (Result, error) {
258254
if !saFound {
259255
return WrapResult(Result{}, fmt.Errorf("no serviceaccount found"))
260256
}
257+
intervalJob, err := checkMinIOJob(&jobCR)
258+
if err != nil {
259+
return WrapResult(Result{}, err)
260+
}
261261
err = intervalJob.CreateCommandJob(ctx, c.k8sClient)
262262
if err != nil {
263263
jobCR.Status.Phase = miniojob.MinioJobPhaseError

pkg/utils/miniojob/types.go

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -193,7 +193,23 @@ func (jobCommand *MinIOIntervalJobCommand) CreateJob(ctx context.Context, k8sCli
193193
Value: "/var/run/secrets/kubernetes.io/serviceaccount/token",
194194
},
195195
},
196-
Command: jobCommands,
196+
Command: jobCommands,
197+
SecurityContext: jobCR.Spec.ContainerSecurityContext,
198+
VolumeMounts: []corev1.VolumeMount{
199+
{
200+
Name: "config-dir",
201+
MountPath: "/.mc",
202+
},
203+
},
204+
},
205+
},
206+
SecurityContext: jobCR.Spec.SecurityContext,
207+
Volumes: []corev1.Volume{
208+
{
209+
Name: "config-dir",
210+
VolumeSource: corev1.VolumeSource{
211+
EmptyDir: &corev1.EmptyDirVolumeSource{},
212+
},
197213
},
198214
},
199215
},

resources/base/crds/job.min.io_miniojobs.yaml

Lines changed: 126 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
33
kind: CustomResourceDefinition
44
metadata:
55
annotations:
6-
controller-gen.kubebuilder.io/version: v0.14.0
6+
controller-gen.kubebuilder.io/version: v0.15.0
77
operator.min.io/version: v5.0.15
88
name: miniojobs.job.min.io
99
spec:
@@ -55,6 +55,67 @@ spec:
5555
- op
5656
type: object
5757
type: array
58+
containerSecurityContext:
59+
properties:
60+
allowPrivilegeEscalation:
61+
type: boolean
62+
capabilities:
63+
properties:
64+
add:
65+
items:
66+
type: string
67+
type: array
68+
drop:
69+
items:
70+
type: string
71+
type: array
72+
type: object
73+
privileged:
74+
type: boolean
75+
procMount:
76+
type: string
77+
readOnlyRootFilesystem:
78+
type: boolean
79+
runAsGroup:
80+
format: int64
81+
type: integer
82+
runAsNonRoot:
83+
type: boolean
84+
runAsUser:
85+
format: int64
86+
type: integer
87+
seLinuxOptions:
88+
properties:
89+
level:
90+
type: string
91+
role:
92+
type: string
93+
type:
94+
type: string
95+
user:
96+
type: string
97+
type: object
98+
seccompProfile:
99+
properties:
100+
localhostProfile:
101+
type: string
102+
type:
103+
type: string
104+
required:
105+
- type
106+
type: object
107+
windowsOptions:
108+
properties:
109+
gmsaCredentialSpec:
110+
type: string
111+
gmsaCredentialSpecName:
112+
type: string
113+
hostProcess:
114+
type: boolean
115+
runAsUserName:
116+
type: string
117+
type: object
118+
type: object
58119
execution:
59120
default: parallel
60121
enum:
@@ -70,6 +131,70 @@ spec:
70131
mcImage:
71132
default: minio/mc:latest
72133
type: string
134+
securityContext:
135+
properties:
136+
fsGroup:
137+
format: int64
138+
type: integer
139+
fsGroupChangePolicy:
140+
type: string
141+
runAsGroup:
142+
format: int64
143+
type: integer
144+
runAsNonRoot:
145+
type: boolean
146+
runAsUser:
147+
format: int64
148+
type: integer
149+
seLinuxOptions:
150+
properties:
151+
level:
152+
type: string
153+
role:
154+
type: string
155+
type:
156+
type: string
157+
user:
158+
type: string
159+
type: object
160+
seccompProfile:
161+
properties:
162+
localhostProfile:
163+
type: string
164+
type:
165+
type: string
166+
required:
167+
- type
168+
type: object
169+
supplementalGroups:
170+
items:
171+
format: int64
172+
type: integer
173+
type: array
174+
sysctls:
175+
items:
176+
properties:
177+
name:
178+
type: string
179+
value:
180+
type: string
181+
required:
182+
- name
183+
- value
184+
type: object
185+
type: array
186+
windowsOptions:
187+
properties:
188+
gmsaCredentialSpec:
189+
type: string
190+
gmsaCredentialSpecName:
191+
type: string
192+
hostProcess:
193+
type: boolean
194+
runAsUserName:
195+
type: string
196+
type: object
197+
type: object
73198
serviceAccountName:
74199
type: string
75200
tenant:

0 commit comments

Comments
 (0)