From f17a4c5dcee863f0603e6d89e1d9139bb20faf4a Mon Sep 17 00:00:00 2001 From: Akram Ben Aissi Date: Wed, 26 Jun 2019 07:28:30 -0400 Subject: [PATCH] Externalise podSecurityContext.runAsUser and --- deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml | 5 +++++ pkg/apis/jenkins/v1alpha2/jenkins_types.go | 8 ++++++++ .../jenkins/configuration/base/resources/pod.go | 15 ++++----------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml b/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml index 51277624..8cfab62f 100644 --- a/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml +++ b/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml @@ -4,9 +4,14 @@ metadata: name: example spec: master: + securityContext: + runAsUser: 1001 containers: - name: jenkins-master image: jenkins/jenkins:lts + command: + - bash + - "/var/jenkins/scripts/init.sh" imagePullPolicy: Always livenessProbe: failureThreshold: 12 diff --git a/pkg/apis/jenkins/v1alpha2/jenkins_types.go b/pkg/apis/jenkins/v1alpha2/jenkins_types.go index a428c1f5..7f6dc21c 100644 --- a/pkg/apis/jenkins/v1alpha2/jenkins_types.go +++ b/pkg/apis/jenkins/v1alpha2/jenkins_types.go @@ -155,6 +155,14 @@ type JenkinsMaster struct { // +optional NodeSelector map[string]string `json:"nodeSelector,omitempty"` + + // SecurityContext that applies to all the containers of the Jenkins + // Master. As per kubernetes specification, it can be overidden + // for each container individually. + // +optional + // Defaults to: nil + SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` + // List of containers belonging to the pod. // Containers cannot currently be added or removed. // There must be at least one container in a Pod. diff --git a/pkg/controller/jenkins/configuration/base/resources/pod.go b/pkg/controller/jenkins/configuration/base/resources/pod.go index 889e4fd0..6fa87d22 100644 --- a/pkg/controller/jenkins/configuration/base/resources/pod.go +++ b/pkg/controller/jenkins/configuration/base/resources/pod.go @@ -202,12 +202,9 @@ func NewJenkinsMasterContainer(jenkins *v1alpha2.Jenkins) corev1.Container { Name: JenkinsMasterContainerName, Image: jenkinsContainer.Image, ImagePullPolicy: jenkinsContainer.ImagePullPolicy, - /*Command: []string{ - "bash", - fmt.Sprintf("%s/%s", jenkinsScriptsVolumePath, initScriptName), - },*/ - LivenessProbe: jenkinsContainer.LivenessProbe, - ReadinessProbe: jenkinsContainer.ReadinessProbe, + Command: jenkinsContainer.Command, + LivenessProbe: jenkinsContainer.LivenessProbe, + ReadinessProbe: jenkinsContainer.ReadinessProbe, Ports: []corev1.ContainerPort{ { Name: httpPortName, @@ -264,7 +261,6 @@ func GetJenkinsMasterPodName(jenkins v1alpha2.Jenkins) string { // NewJenkinsMasterPod builds Jenkins Master Kubernetes Pod resource func NewJenkinsMasterPod(objectMeta metav1.ObjectMeta, jenkins *v1alpha2.Jenkins) *corev1.Pod { - runAsUser := jenkinsUserUID serviceAccountName := objectMeta.Name objectMeta.Annotations = jenkins.Spec.Master.Annotations @@ -276,10 +272,7 @@ func NewJenkinsMasterPod(objectMeta metav1.ObjectMeta, jenkins *v1alpha2.Jenkins Spec: corev1.PodSpec{ ServiceAccountName: serviceAccountName, RestartPolicy: corev1.RestartPolicyNever, - SecurityContext: &corev1.PodSecurityContext{ - RunAsUser: &runAsUser, - RunAsGroup: &runAsUser, - }, + SecurityContext: jenkins.Spec.Master.SecurityContext, NodeSelector: jenkins.Spec.Master.NodeSelector, Containers: newContainers(jenkins), Volumes: append(GetJenkinsMasterPodBaseVolumes(jenkins), jenkins.Spec.Master.Volumes...),