Externalise podSecurityContext.runAsUser and

2019-06-26 07:28:30 -04:00 · 2019-06-26 07:28:30 -04:00 · f17a4c5dce
parent 9285e294dd
commit f17a4c5dce
3 changed files with 17 additions and 11 deletions
--- a/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml
+++ b/deploy/crds/jenkins_v1alpha2_jenkins_cr.yaml
@ -4,9 +4,14 @@ metadata:
  name: example
 spec:
  master:
+    securityContext:
+      runAsUser: 1001
    containers:
    - name: jenkins-master
      image: jenkins/jenkins:lts
+      command:
+      - bash
+      - "/var/jenkins/scripts/init.sh"
      imagePullPolicy: Always
      livenessProbe:
        failureThreshold: 12
--- a/pkg/apis/jenkins/v1alpha2/jenkins_types.go
+++ b/pkg/apis/jenkins/v1alpha2/jenkins_types.go
@ -155,6 +155,14 @@ type JenkinsMaster struct {
 	// +optional
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`

+
+	// SecurityContext that applies to all the containers of the Jenkins 
+	// Master. As per kubernetes specification, it can be overidden
+	// for each container individually.
+	// +optional
+	// Defaults to: nil
+        SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+
 	// List of containers belonging to the pod.
 	// Containers cannot currently be added or removed.
 	// There must be at least one container in a Pod.
--- a/pkg/controller/jenkins/configuration/base/resources/pod.go
+++ b/pkg/controller/jenkins/configuration/base/resources/pod.go
@ -202,12 +202,9 @@ func NewJenkinsMasterContainer(jenkins *v1alpha2.Jenkins) corev1.Container {
 		Name:            JenkinsMasterContainerName,
 		Image:           jenkinsContainer.Image,
 		ImagePullPolicy: jenkinsContainer.ImagePullPolicy,
-		/*Command: []string{
-			"bash",
-			fmt.Sprintf("%s/%s", jenkinsScriptsVolumePath, initScriptName),
-		},*/
-		LivenessProbe:  jenkinsContainer.LivenessProbe,
-		ReadinessProbe: jenkinsContainer.ReadinessProbe,
+		Command:         jenkinsContainer.Command,
+		LivenessProbe:   jenkinsContainer.LivenessProbe,
+		ReadinessProbe:  jenkinsContainer.ReadinessProbe,
 		Ports: []corev1.ContainerPort{
 			{
 				Name:          httpPortName,
@ -264,7 +261,6 @@ func GetJenkinsMasterPodName(jenkins v1alpha2.Jenkins) string {

 // NewJenkinsMasterPod builds Jenkins Master Kubernetes Pod resource
 func NewJenkinsMasterPod(objectMeta metav1.ObjectMeta, jenkins *v1alpha2.Jenkins) *corev1.Pod {
-	runAsUser := jenkinsUserUID

 	serviceAccountName := objectMeta.Name
 	objectMeta.Annotations = jenkins.Spec.Master.Annotations
@ -276,10 +272,7 @@ func NewJenkinsMasterPod(objectMeta metav1.ObjectMeta, jenkins *v1alpha2.Jenkins
 		Spec: corev1.PodSpec{
 			ServiceAccountName: serviceAccountName,
 			RestartPolicy:      corev1.RestartPolicyNever,
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser:  &runAsUser,
-				RunAsGroup: &runAsUser,
-			},
+			SecurityContext: jenkins.Spec.Master.SecurityContext,
 			NodeSelector: jenkins.Spec.Master.NodeSelector,
 			Containers:   newContainers(jenkins),
 			Volumes:      append(GetJenkinsMasterPodBaseVolumes(jenkins), jenkins.Spec.Master.Volumes...),