You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ts...@apache.org on 2022/06/06 02:55:48 UTC
[camel-k] 01/02: feat: add basic support for PodSecurityContext
This is an automated email from the ASF dual-hosted git repository.
tsato pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit f3908876831e1f1b4e08097b4ed6ecbd1f0d74bc
Author: Adriano Machado <unknown>
AuthorDate: Fri Jun 3 19:17:34 2022 -0400
feat: add basic support for PodSecurityContext
---
.../crd/bases/camel.apache.org_integrations.yaml | 168 ++++++++++++++++++++
.../bases/camel.apache.org_kameletbindings.yaml | 172 +++++++++++++++++++++
.../attachments/schema/integration-schema.json | 105 ++++++++++++-
docs/modules/ROOT/partials/apis/camel-k-crds.adoc | 10 +-
docs/modules/ROOT/partials/apis/crds-html.adoc | 13 ++
.../files/template-with-supplemental-groups.yaml | 25 +++
e2e/common/traits/pod_test.go | 75 ++++++---
helm/camel-k/crds/crd-integration.yaml | 168 ++++++++++++++++++++
helm/camel-k/crds/crd-kamelet-binding.yaml | 172 +++++++++++++++++++++
pkg/apis/camel/v1/integration_types.go | 2 +
pkg/apis/camel/v1/zz_generated.deepcopy.go | 1 +
pkg/cmd/run_test.go | 33 ++++
.../integration/integration_controller.go | 2 +-
pkg/resources/resources.go | 29 ++--
pkg/trait/pod_test.go | 15 ++
15 files changed, 956 insertions(+), 34 deletions(-)
diff --git a/config/crd/bases/camel.apache.org_integrations.yaml b/config/crd/bases/camel.apache.org_integrations.yaml
index 8714e2b7b..764a2e332 100644
--- a/config/crd/bases/camel.apache.org_integrations.yaml
+++ b/config/crd/bases/camel.apache.org_integrations.yaml
@@ -3958,6 +3958,174 @@ spec:
restartPolicy:
description: RestartPolicy
type: string
+ securityContext:
+ description: PodSecurityContext
+ properties:
+ fsGroup:
+ description: "A special supplemental group that applies
+ to all containers in a pod. Some volume types allow
+ the Kubelet to change the ownership of that volume to
+ be owned by the pod: \n 1. The owning GID will be the
+ FSGroup 2. The setgid bit is set (new files created
+ in the volume will be owned by FSGroup) 3. The permission
+ bits are OR'd with rw-rw---- \n If unset, the Kubelet
+ will not modify the ownership and permissions of any
+ volume."
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: 'fsGroupChangePolicy defines behavior of
+ changing ownership and permission of the volume before
+ being exposed inside Pod. This field will only apply
+ to volume types which support fsGroup based ownership(and
+ permissions). It will have no effect on ephemeral volume
+ types such as: secret, configmaps and emptydir. Valid
+ values are "OnRootMismatch" and "Always". If not specified,
+ "Always" is used.'
+ type: string
+ runAsGroup:
+ description: The GID to run the entrypoint of the container
+ process. Uses runtime default if unset. May also be
+ set in SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: Indicates that the container must run as
+ a non-root user. If true, the Kubelet will validate
+ the image at runtime to ensure that it does not run
+ as UID 0 (root) and fail to start the container if it
+ does. If unset or false, no such validation will be
+ performed. May also be set in SecurityContext. If set
+ in both SecurityContext and PodSecurityContext, the
+ value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: The UID to run the entrypoint of the container
+ process. Defaults to user specified in image metadata
+ if unspecified. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence
+ for that container.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: The SELinux context to be applied to all
+ containers. If unspecified, the container runtime will
+ allocate a random SELinux context for each container. May
+ also be set in SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ properties:
+ level:
+ description: Level is SELinux level label that applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: The seccomp options to use by the containers
+ in this pod.
+ properties:
+ localhostProfile:
+ description: localhostProfile indicates a profile
+ defined in a file on the node should be used. The
+ profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's
+ configured seccomp profile location. Must only be
+ set if type is "Localhost".
+ type: string
+ type:
+ description: "type indicates which kind of seccomp
+ profile will be applied. Valid options are: \n Localhost
+ - a profile defined in a file on the node should
+ be used. RuntimeDefault - the container runtime
+ default profile should be used. Unconfined - no
+ profile should be applied."
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: A list of groups applied to the first process
+ run in each container, in addition to the container's
+ primary GID. If unspecified, no groups will be added
+ to any container.
+ items:
+ format: int64
+ type: integer
+ type: array
+ sysctls:
+ description: Sysctls hold a list of namespaced sysctls
+ used for the pod. Pods with unsupported sysctls (by
+ the container runtime) might fail to launch.
+ items:
+ description: Sysctl defines a kernel parameter to be
+ set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ windowsOptions:
+ description: The Windows specific settings applied to
+ all containers. If unspecified, the options within a
+ container's SecurityContext will be used. If set in
+ both SecurityContext and PodSecurityContext, the value
+ specified in SecurityContext takes precedence.
+ properties:
+ gmsaCredentialSpec:
+ description: GMSACredentialSpec is where the GMSA
+ admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
+ inlines the contents of the GMSA credential spec
+ named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: HostProcess determines if a container
+ should be run as a 'Host Process' container. This
+ field is alpha-level and will only be honored by
+ components that enable the WindowsHostProcessContainers
+ feature flag. Setting this field without the feature
+ flag will result in errors when validating the Pod.
+ All of a Pod's containers must have the same effective
+ HostProcess value (it is not allowed to have a mix
+ of HostProcess containers and non-HostProcess containers). In
+ addition, if HostProcess is true then HostNetwork
+ must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: The UserName in Windows to run the entrypoint
+ of the container process. Defaults to the user specified
+ in image metadata if unspecified. May also be set
+ in PodSecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence.
+ type: string
+ type: object
+ type: object
terminationGracePeriodSeconds:
description: TerminationGracePeriodSeconds
format: int64
diff --git a/config/crd/bases/camel.apache.org_kameletbindings.yaml b/config/crd/bases/camel.apache.org_kameletbindings.yaml
index 186bf6e91..549e42c83 100644
--- a/config/crd/bases/camel.apache.org_kameletbindings.yaml
+++ b/config/crd/bases/camel.apache.org_kameletbindings.yaml
@@ -4150,6 +4150,178 @@ spec:
restartPolicy:
description: RestartPolicy
type: string
+ securityContext:
+ description: PodSecurityContext
+ properties:
+ fsGroup:
+ description: "A special supplemental group that applies
+ to all containers in a pod. Some volume types allow
+ the Kubelet to change the ownership of that volume
+ to be owned by the pod: \n 1. The owning GID will
+ be the FSGroup 2. The setgid bit is set (new files
+ created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw---- \n
+ If unset, the Kubelet will not modify the ownership
+ and permissions of any volume."
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: 'fsGroupChangePolicy defines behavior
+ of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will
+ only apply to volume types which support fsGroup
+ based ownership(and permissions). It will have no
+ effect on ephemeral volume types such as: secret,
+ configmaps and emptydir. Valid values are "OnRootMismatch"
+ and "Always". If not specified, "Always" is used.'
+ type: string
+ runAsGroup:
+ description: The GID to run the entrypoint of the
+ container process. Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both
+ SecurityContext and PodSecurityContext, the value
+ specified in SecurityContext takes precedence for
+ that container.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: Indicates that the container must run
+ as a non-root user. If true, the Kubelet will validate
+ the image at runtime to ensure that it does not
+ run as UID 0 (root) and fail to start the container
+ if it does. If unset or false, no such validation
+ will be performed. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: The UID to run the entrypoint of the
+ container process. Defaults to user specified in
+ image metadata if unspecified. May also be set in
+ SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: The SELinux context to be applied to
+ all containers. If unspecified, the container runtime
+ will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence
+ for that container.
+ properties:
+ level:
+ description: Level is SELinux level label that
+ applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
+ applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
+ applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
+ applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: The seccomp options to use by the containers
+ in this pod.
+ properties:
+ localhostProfile:
+ description: localhostProfile indicates a profile
+ defined in a file on the node should be used.
+ The profile must be preconfigured on the node
+ to work. Must be a descending path, relative
+ to the kubelet's configured seccomp profile
+ location. Must only be set if type is "Localhost".
+ type: string
+ type:
+ description: "type indicates which kind of seccomp
+ profile will be applied. Valid options are:
+ \n Localhost - a profile defined in a file on
+ the node should be used. RuntimeDefault - the
+ container runtime default profile should be
+ used. Unconfined - no profile should be applied."
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: A list of groups applied to the first
+ process run in each container, in addition to the
+ container's primary GID. If unspecified, no groups
+ will be added to any container.
+ items:
+ format: int64
+ type: integer
+ type: array
+ sysctls:
+ description: Sysctls hold a list of namespaced sysctls
+ used for the pod. Pods with unsupported sysctls
+ (by the container runtime) might fail to launch.
+ items:
+ description: Sysctl defines a kernel parameter to
+ be set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ windowsOptions:
+ description: The Windows specific settings applied
+ to all containers. If unspecified, the options within
+ a container's SecurityContext will be used. If set
+ in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence.
+ properties:
+ gmsaCredentialSpec:
+ description: GMSACredentialSpec is where the GMSA
+ admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
+ inlines the contents of the GMSA credential
+ spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name
+ of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: HostProcess determines if a container
+ should be run as a 'Host Process' container.
+ This field is alpha-level and will only be honored
+ by components that enable the WindowsHostProcessContainers
+ feature flag. Setting this field without the
+ feature flag will result in errors when validating
+ the Pod. All of a Pod's containers must have
+ the same effective HostProcess value (it is
+ not allowed to have a mix of HostProcess containers
+ and non-HostProcess containers). In addition,
+ if HostProcess is true then HostNetwork must
+ also be set to true.
+ type: boolean
+ runAsUserName:
+ description: The UserName in Windows to run the
+ entrypoint of the container process. Defaults
+ to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set
+ in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes
+ precedence.
+ type: string
+ type: object
+ type: object
terminationGracePeriodSeconds:
description: TerminationGracePeriodSeconds
format: int64
diff --git a/docs/modules/ROOT/attachments/schema/integration-schema.json b/docs/modules/ROOT/attachments/schema/integration-schema.json
index 186329956..c1117d555 100644
--- a/docs/modules/ROOT/attachments/schema/integration-schema.json
+++ b/docs/modules/ROOT/attachments/schema/integration-schema.json
@@ -3392,6 +3392,109 @@
"description": "RestartPolicy describes how the container should be restarted. Only one of the following restart policies may be specified. If none of the following policies is specified, the default one is RestartPolicyAlways.",
"type": "string"
},
+ "securityContext": {
+ "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.",
+ "properties": {
+ "fsGroup": {
+ "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.",
+ "format": "int64",
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified defaults to \"Always\".",
+ "type": "string"
+ },
+ "runAsGroup": {
+ "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "format": "int64",
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "format": "int64",
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "description": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "properties": {
+ "level": {
+ "description": "Level is SELinux level label that applies to the container.",
+ "type": "string"
+ },
+ "role": {
+ "description": "Role is a SELinux role label that applies to the container.",
+ "type": "string"
+ },
+ "type": {
+ "description": "Type is a SELinux type label that applies to the container.",
+ "type": "string"
+ },
+ "user": {
+ "description": "User is a SELinux user label that applies to the container.",
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.",
+ "items": {
+ "format": "int64",
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ "sysctls": {
+ "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.",
+ "items": {
+ "description": "Sysctl defines a kernel parameter to be set",
+ "properties": {
+ "name": {
+ "description": "Name of a property to set",
+ "type": "string"
+ },
+ "value": {
+ "description": "Value of a property to set",
+ "type": "string"
+ }
+ },
+ "required": [
+ "name",
+ "value"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "windowsOptions": {
+ "description": "The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "properties": {
+ "gmsaCredentialSpec": {
+ "description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.",
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.",
+ "type": "string"
+ },
+ "hostProcess": {
+ "description": "HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess [...]
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"serviceAccount": {
"type": "string"
},
@@ -9269,4 +9372,4 @@
}
}
}
-}
\ No newline at end of file
+}
diff --git a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
index 3b66ff844..445c66379 100644
--- a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
+++ b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
@@ -2478,6 +2478,14 @@ NodeSelector
TopologySpreadConstraints
+|`securityContext` +
+*https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core[[\]Kubernetes core/v1.PodSecurityContext]*
+|
+
+
+PodSecurityContext
+
+
|===
[#_camel_apache_org_v1_PodSpecTemplate]
@@ -3188,4 +3196,4 @@ Selects a key of a ConfigMap.
Selects a key of a secret.
-|===
\ No newline at end of file
+|===
diff --git a/docs/modules/ROOT/partials/apis/crds-html.adoc b/docs/modules/ROOT/partials/apis/crds-html.adoc
index 8c91fbb64..3a4dadc90 100644
--- a/docs/modules/ROOT/partials/apis/crds-html.adoc
+++ b/docs/modules/ROOT/partials/apis/crds-html.adoc
@@ -3910,6 +3910,19 @@ map[string]string
<td>
</td>
</tr>
+<tr>
+<td>
+<code>securityContext</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core">
+[]Kubernetes core/v1.PodSecurityContext
+</a>
+</em>
+</td>
+<td>
+PodSecurityContext
+</td>
+</tr>
</tbody>
</table>
<h3 id="camel.apache.org/v1.PodSpecTemplate">PodSpecTemplate
diff --git a/e2e/common/traits/files/template-with-supplemental-groups.yaml b/e2e/common/traits/files/template-with-supplemental-groups.yaml
new file mode 100644
index 000000000..fdb1c034b
--- /dev/null
+++ b/e2e/common/traits/files/template-with-supplemental-groups.yaml
@@ -0,0 +1,25 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+containers:
+ - name: integration
+ env:
+ - name: TEST_VARIABLE
+ value: "hello from the template"
+securityContext:
+ supplementalGroups:
+ - 666
diff --git a/e2e/common/traits/pod_test.go b/e2e/common/traits/pod_test.go
index 1fa802505..9fe447090 100644
--- a/e2e/common/traits/pod_test.go
+++ b/e2e/common/traits/pod_test.go
@@ -34,27 +34,64 @@ import (
)
func TestPodTrait(t *testing.T) {
+
+ tc := []struct {
+ name string
+ templateName string
+ assertions func(t *testing.T, ns string, name string)
+ }{
+ {
+ name: "pod trait with env vars and volume mounts",
+ templateName: "files/template.yaml",
+ assertions: func(t *testing.T, ns string, name string) {
+ // check that integrations is working and reading data created by sidecar container
+ Eventually(IntegrationLogs(ns, name), TestTimeoutShort).Should(ContainSubstring("Content from the sidecar container"))
+ // check that env var is injected
+ Eventually(IntegrationLogs(ns, name), TestTimeoutShort).Should(ContainSubstring("hello from the template"))
+ pod := IntegrationPod(ns, name)()
+
+ // check if ENV variable is applied
+ envValue := getEnvVar("TEST_VARIABLE", pod.Spec)
+ Expect(envValue).To(Equal("hello from the template"))
+ },
+ },
+ {
+ name: "pod trait with supplemental groups",
+ templateName: "files/template-with-supplemental-groups.yaml",
+ assertions: func(t *testing.T, ns string, name string) {
+ pod := IntegrationPod(ns, name)()
+ Expect(pod.Spec).NotTo(BeNil())
+ Expect(pod.Spec.SecurityContext).NotTo(BeNil())
+ Expect(pod.Spec.SecurityContext.SupplementalGroups).NotTo(BeNil())
+ Expect(pod.Spec.SecurityContext.SupplementalGroups).Should(ContainElements(int64(666)))
+ },
+ },
+ }
+
WithNewTestNamespace(t, func(ns string) {
- name := "pod-template-test"
Expect(Kamel("install", "-n", ns).Execute()).To(Succeed())
- Expect(Kamel("run", "-n", ns, "files/PodTest.groovy",
- "--name", name,
- "--pod-template", "files/template.yaml",
- ).Execute()).To(Succeed())
-
- // check integration is deployed
- Eventually(IntegrationPodPhase(ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))
- Eventually(IntegrationConditionStatus(ns, name, v1.IntegrationConditionReady), TestTimeoutShort).Should(Equal(corev1.ConditionTrue))
-
- // check that integrations is working and reading data created by sidecar container
- Eventually(IntegrationLogs(ns, name), TestTimeoutShort).Should(ContainSubstring("Content from the sidecar container"))
- // check that env var is injected
- Eventually(IntegrationLogs(ns, name), TestTimeoutShort).Should(ContainSubstring("hello from the template"))
- pod := IntegrationPod(ns, name)()
-
- // check if ENV variable is applied
- envValue := getEnvVar("TEST_VARIABLE", pod.Spec)
- Expect(envValue).To(Equal("hello from the template"))
+
+ name := "pod-template-test"
+
+ for i := range tc {
+ test := tc[i]
+
+ t.Run(test.name, func(t *testing.T) {
+ Expect(Kamel("run", "-n", ns, "files/PodTest.groovy",
+ "--name", name,
+ "--pod-template", test.templateName,
+ ).Execute()).To(Succeed())
+
+ // check integration is deployed
+ Eventually(IntegrationPodPhase(ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))
+ Eventually(IntegrationConditionStatus(ns, name, v1.IntegrationConditionReady), TestTimeoutShort).Should(Equal(corev1.ConditionTrue))
+
+ test.assertions(t, ns, name)
+
+ // Clean up
+ Expect(Kamel("delete", "--all", "-n", ns).Execute()).To(Succeed())
+ })
+ }
})
}
diff --git a/helm/camel-k/crds/crd-integration.yaml b/helm/camel-k/crds/crd-integration.yaml
index 8714e2b7b..764a2e332 100644
--- a/helm/camel-k/crds/crd-integration.yaml
+++ b/helm/camel-k/crds/crd-integration.yaml
@@ -3958,6 +3958,174 @@ spec:
restartPolicy:
description: RestartPolicy
type: string
+ securityContext:
+ description: PodSecurityContext
+ properties:
+ fsGroup:
+ description: "A special supplemental group that applies
+ to all containers in a pod. Some volume types allow
+ the Kubelet to change the ownership of that volume to
+ be owned by the pod: \n 1. The owning GID will be the
+ FSGroup 2. The setgid bit is set (new files created
+ in the volume will be owned by FSGroup) 3. The permission
+ bits are OR'd with rw-rw---- \n If unset, the Kubelet
+ will not modify the ownership and permissions of any
+ volume."
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: 'fsGroupChangePolicy defines behavior of
+ changing ownership and permission of the volume before
+ being exposed inside Pod. This field will only apply
+ to volume types which support fsGroup based ownership(and
+ permissions). It will have no effect on ephemeral volume
+ types such as: secret, configmaps and emptydir. Valid
+ values are "OnRootMismatch" and "Always". If not specified,
+ "Always" is used.'
+ type: string
+ runAsGroup:
+ description: The GID to run the entrypoint of the container
+ process. Uses runtime default if unset. May also be
+ set in SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: Indicates that the container must run as
+ a non-root user. If true, the Kubelet will validate
+ the image at runtime to ensure that it does not run
+ as UID 0 (root) and fail to start the container if it
+ does. If unset or false, no such validation will be
+ performed. May also be set in SecurityContext. If set
+ in both SecurityContext and PodSecurityContext, the
+ value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: The UID to run the entrypoint of the container
+ process. Defaults to user specified in image metadata
+ if unspecified. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence
+ for that container.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: The SELinux context to be applied to all
+ containers. If unspecified, the container runtime will
+ allocate a random SELinux context for each container. May
+ also be set in SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ properties:
+ level:
+ description: Level is SELinux level label that applies
+ to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies
+ to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies
+ to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies
+ to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: The seccomp options to use by the containers
+ in this pod.
+ properties:
+ localhostProfile:
+ description: localhostProfile indicates a profile
+ defined in a file on the node should be used. The
+ profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's
+ configured seccomp profile location. Must only be
+ set if type is "Localhost".
+ type: string
+ type:
+ description: "type indicates which kind of seccomp
+ profile will be applied. Valid options are: \n Localhost
+ - a profile defined in a file on the node should
+ be used. RuntimeDefault - the container runtime
+ default profile should be used. Unconfined - no
+ profile should be applied."
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: A list of groups applied to the first process
+ run in each container, in addition to the container's
+ primary GID. If unspecified, no groups will be added
+ to any container.
+ items:
+ format: int64
+ type: integer
+ type: array
+ sysctls:
+ description: Sysctls hold a list of namespaced sysctls
+ used for the pod. Pods with unsupported sysctls (by
+ the container runtime) might fail to launch.
+ items:
+ description: Sysctl defines a kernel parameter to be
+ set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ windowsOptions:
+ description: The Windows specific settings applied to
+ all containers. If unspecified, the options within a
+ container's SecurityContext will be used. If set in
+ both SecurityContext and PodSecurityContext, the value
+ specified in SecurityContext takes precedence.
+ properties:
+ gmsaCredentialSpec:
+ description: GMSACredentialSpec is where the GMSA
+ admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
+ inlines the contents of the GMSA credential spec
+ named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name of
+ the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: HostProcess determines if a container
+ should be run as a 'Host Process' container. This
+ field is alpha-level and will only be honored by
+ components that enable the WindowsHostProcessContainers
+ feature flag. Setting this field without the feature
+ flag will result in errors when validating the Pod.
+ All of a Pod's containers must have the same effective
+ HostProcess value (it is not allowed to have a mix
+ of HostProcess containers and non-HostProcess containers). In
+ addition, if HostProcess is true then HostNetwork
+ must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: The UserName in Windows to run the entrypoint
+ of the container process. Defaults to the user specified
+ in image metadata if unspecified. May also be set
+ in PodSecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence.
+ type: string
+ type: object
+ type: object
terminationGracePeriodSeconds:
description: TerminationGracePeriodSeconds
format: int64
diff --git a/helm/camel-k/crds/crd-kamelet-binding.yaml b/helm/camel-k/crds/crd-kamelet-binding.yaml
index 186bf6e91..549e42c83 100644
--- a/helm/camel-k/crds/crd-kamelet-binding.yaml
+++ b/helm/camel-k/crds/crd-kamelet-binding.yaml
@@ -4150,6 +4150,178 @@ spec:
restartPolicy:
description: RestartPolicy
type: string
+ securityContext:
+ description: PodSecurityContext
+ properties:
+ fsGroup:
+ description: "A special supplemental group that applies
+ to all containers in a pod. Some volume types allow
+ the Kubelet to change the ownership of that volume
+ to be owned by the pod: \n 1. The owning GID will
+ be the FSGroup 2. The setgid bit is set (new files
+ created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw---- \n
+ If unset, the Kubelet will not modify the ownership
+ and permissions of any volume."
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: 'fsGroupChangePolicy defines behavior
+ of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will
+ only apply to volume types which support fsGroup
+ based ownership(and permissions). It will have no
+ effect on ephemeral volume types such as: secret,
+ configmaps and emptydir. Valid values are "OnRootMismatch"
+ and "Always". If not specified, "Always" is used.'
+ type: string
+ runAsGroup:
+ description: The GID to run the entrypoint of the
+ container process. Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both
+ SecurityContext and PodSecurityContext, the value
+ specified in SecurityContext takes precedence for
+ that container.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: Indicates that the container must run
+ as a non-root user. If true, the Kubelet will validate
+ the image at runtime to ensure that it does not
+ run as UID 0 (root) and fail to start the container
+ if it does. If unset or false, no such validation
+ will be performed. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: The UID to run the entrypoint of the
+ container process. Defaults to user specified in
+ image metadata if unspecified. May also be set in
+ SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: The SELinux context to be applied to
+ all containers. If unspecified, the container runtime
+ will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If
+ set in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence
+ for that container.
+ properties:
+ level:
+ description: Level is SELinux level label that
+ applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label that
+ applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label that
+ applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label that
+ applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: The seccomp options to use by the containers
+ in this pod.
+ properties:
+ localhostProfile:
+ description: localhostProfile indicates a profile
+ defined in a file on the node should be used.
+ The profile must be preconfigured on the node
+ to work. Must be a descending path, relative
+ to the kubelet's configured seccomp profile
+ location. Must only be set if type is "Localhost".
+ type: string
+ type:
+ description: "type indicates which kind of seccomp
+ profile will be applied. Valid options are:
+ \n Localhost - a profile defined in a file on
+ the node should be used. RuntimeDefault - the
+ container runtime default profile should be
+ used. Unconfined - no profile should be applied."
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: A list of groups applied to the first
+ process run in each container, in addition to the
+ container's primary GID. If unspecified, no groups
+ will be added to any container.
+ items:
+ format: int64
+ type: integer
+ type: array
+ sysctls:
+ description: Sysctls hold a list of namespaced sysctls
+ used for the pod. Pods with unsupported sysctls
+ (by the container runtime) might fail to launch.
+ items:
+ description: Sysctl defines a kernel parameter to
+ be set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ windowsOptions:
+ description: The Windows specific settings applied
+ to all containers. If unspecified, the options within
+ a container's SecurityContext will be used. If set
+ in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes precedence.
+ properties:
+ gmsaCredentialSpec:
+ description: GMSACredentialSpec is where the GMSA
+ admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
+ inlines the contents of the GMSA credential
+ spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the name
+ of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: HostProcess determines if a container
+ should be run as a 'Host Process' container.
+ This field is alpha-level and will only be honored
+ by components that enable the WindowsHostProcessContainers
+ feature flag. Setting this field without the
+ feature flag will result in errors when validating
+ the Pod. All of a Pod's containers must have
+ the same effective HostProcess value (it is
+ not allowed to have a mix of HostProcess containers
+ and non-HostProcess containers). In addition,
+ if HostProcess is true then HostNetwork must
+ also be set to true.
+ type: boolean
+ runAsUserName:
+ description: The UserName in Windows to run the
+ entrypoint of the container process. Defaults
+ to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set
+ in both SecurityContext and PodSecurityContext,
+ the value specified in SecurityContext takes
+ precedence.
+ type: string
+ type: object
+ type: object
terminationGracePeriodSeconds:
description: TerminationGracePeriodSeconds
format: int64
diff --git a/pkg/apis/camel/v1/integration_types.go b/pkg/apis/camel/v1/integration_types.go
index 210ada47b..9cafb294f 100644
--- a/pkg/apis/camel/v1/integration_types.go
+++ b/pkg/apis/camel/v1/integration_types.go
@@ -297,4 +297,6 @@ type PodSpec struct {
NodeSelector map[string]string `json:"nodeSelector,omitempty" protobuf:"bytes,7,rep,name=nodeSelector"`
// TopologySpreadConstraints
TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty" patchStrategy:"merge" patchMergeKey:"topologyKey" protobuf:"bytes,33,opt,name=topologySpreadConstraints"`
+ // PodSecurityContext
+ SecurityContext corev1.PodSecurityContext `json:"securityContext,omitempty" protobuf:"bytes,34,opt,name=securityContext"`
}
diff --git a/pkg/apis/camel/v1/zz_generated.deepcopy.go b/pkg/apis/camel/v1/zz_generated.deepcopy.go
index e787e152d..f01175b95 100644
--- a/pkg/apis/camel/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/camel/v1/zz_generated.deepcopy.go
@@ -1381,6 +1381,7 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ in.SecurityContext.DeepCopyInto(&out.SecurityContext)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSpec.
diff --git a/pkg/cmd/run_test.go b/pkg/cmd/run_test.go
index be71a8425..5e386c62e 100644
--- a/pkg/cmd/run_test.go
+++ b/pkg/cmd/run_test.go
@@ -677,3 +677,36 @@ func TestMissingTrait(t *testing.T) {
assert.Equal(t, "Error: bogus.fail=i-must-fail is not a valid trait property\n", output)
assert.NotNil(t, err)
}
+
+func TestResolveYamlPodTemplateWithSupplementalGroups(t *testing.T) {
+ _, rootCmd, _ := initializeRunCmdOptions(t)
+ templateText := `
+securityContext:
+ supplementalGroups:
+ - 666
+`
+ integrationSpec := v1.IntegrationSpec{}
+ err := resolvePodTemplate(context.TODO(), rootCmd, templateText, &integrationSpec)
+ assert.Nil(t, err)
+ assert.NotNil(t, integrationSpec.PodTemplate)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec.SecurityContext)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups)
+ assert.Equal(t, 1, len(integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups))
+ assert.Contains(t, integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups, int64(666))
+}
+
+func TestResolveJsonPodTemplateWithSupplementalGroups(t *testing.T) {
+ _, rootCmd, _ := initializeRunCmdOptions(t)
+ minifiedYamlTemplate := `{"securityContext":{"supplementalGroups":[666]}}`
+
+ integrationSpec := v1.IntegrationSpec{}
+ err := resolvePodTemplate(context.TODO(), rootCmd, minifiedYamlTemplate, &integrationSpec)
+ assert.Nil(t, err)
+ assert.NotNil(t, integrationSpec.PodTemplate)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec.SecurityContext)
+ assert.NotNil(t, integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups)
+ assert.Equal(t, 1, len(integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups))
+ assert.Contains(t, integrationSpec.PodTemplate.Spec.SecurityContext.SupplementalGroups, int64(666))
+}
diff --git a/pkg/controller/integration/integration_controller.go b/pkg/controller/integration/integration_controller.go
index a4d2b7392..572d2ef9a 100644
--- a/pkg/controller/integration/integration_controller.go
+++ b/pkg/controller/integration/integration_controller.go
@@ -253,7 +253,7 @@ type reconcileIntegration struct {
recorder record.EventRecorder
}
-// Reconcile reads that state of the cluster for a Integration object and makes changes based on the state read
+// Reconcile reads that state of the cluster for an Integration object and makes changes based on the state read
// and what is in the Integration.Spec
// Note:
// The Controller will requeue the Request to be processed again if the returned error is non-nil or
diff --git a/pkg/resources/resources.go b/pkg/resources/resources.go
index 0a59b9df2..0edb90bff 100644
--- a/pkg/resources/resources.go
+++ b/pkg/resources/resources.go
@@ -114,12 +114,16 @@ var assets = func() http.FileSystem {
name: "bases",
modTime: time.Time{},
},
+ "/crd/bases/cache": &vfsgen۰DirInfo{
+ name: "cache",
+ modTime: time.Time{},
+ },
"/crd/bases/camel.apache.org_builds.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_builds.yaml",
modTime: time.Time{},
- uncompressedSize: 40381,
+ uncompressedSize: 40596,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x3d\x6b\x73\x1b\x39\x72\xdf\xf5\x2b\xba\x56\x1f\x2c\x57\x89\xe4\xee\xde\x23\x1b\xa5\x52\x29\x9e\xbc\xbe\x53\xfc\x90\x62\x6a\x7d\x77\xdf\x04\xce\x34\x49\x1c\x67\x80\x09\x80\x11\xcd\x4b\xe5\xbf\xa7\xd0\x00\x86\x43\x72\x1e\x18\x3d\xec\xcb\xad\xf0\xc5\xd6\x10\x68\x34\x1a\x8d\x7e\xa1\x01\x9c\xc2\xe8\xe9\xca\xc9\x29\xbc\xe7\x09\x0a\x8d\x29\x18\x09\x66\x85\x30\x2d\x58\xb2\x42\x98\xc9\x85\xd9\x30\x85\xf0\x56\x96\x22\x65\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x3d\x6b\x73\xe3\x38\x72\xdf\xfd\x2b\xba\xd6\x1f\xc6\x53\x65\x49\xbb\x7b\x8f\x6c\x9c\x4a\xa5\x74\x9e\x9d\x3d\x67\x1e\x76\x46\xde\xb9\xbb\x6f\x86\xc8\x96\x84\x13\x09\x30\x00\x68\x8d\x2e\x95\xff\x9e\x42\x03\xa0\x28\x89\x0f\xd0\x8f\x99\xcb\x9d\xf1\x65\xc6\x14\xd8\xe8\x6e\x34\xfa\x85\x06\x78\x0a\xa3\xa7\x6b\x27\xa7\xf0\x9e\x27\x28\x34\xa6\x60\x24\x98\x15\xc2\xb4\x60\xc9\x0a\x61\x26\x17\x66\xc3\x14\xc2\x5b\x59\x8a\x94\x [...]
},
"/crd/bases/camel.apache.org_camelcatalogs.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_camelcatalogs.yaml",
@@ -131,37 +135,37 @@ var assets = func() http.FileSystem {
"/crd/bases/camel.apache.org_integrationkits.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_integrationkits.yaml",
modTime: time.Time{},
- uncompressedSize: 10779,
+ uncompressedSize: 11003,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xc4\x5a\xdf\x8f\xda\x48\xf2\x7f\xe7\xaf\x28\x65\x1e\x76\x22\x81\x67\xf3\xfd\x4a\xa7\x13\xf7\xc4\x4d\x92\x5b\x94\x64\x66\x14\xc8\xae\x56\xca\xc3\x14\x76\x61\x3a\xd8\xdd\xbe\xee\x36\x0c\x77\xba\xff\xfd\x54\xd5\x36\x18\xb0\x81\x63\x13\xad\x9f\x06\x77\x77\xd5\xa7\x7e\x57\x97\xe7\x06\x06\xdf\xef\xe9\xdd\xc0\x47\x15\x93\x76\x94\x80\x37\xe0\x17\x04\xa3\x02\xe3\x05\xc1\xc4\xcc\xfd\x1a\x2d\xc1\x7b\x53\xea\x04\xbd\x32\x1a\x6e\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xc4\x5a\x5f\x8f\xda\x48\x12\x7f\xe7\x53\x94\xc2\xc3\x4e\x24\xf0\x6c\xee\x4e\xab\x13\xf7\xc4\x4d\x92\x5d\x34\xc9\xcc\x28\x90\x5d\xad\x94\x87\x29\xec\xc2\x74\xb0\xbb\x7d\xdd\x6d\x18\xee\x74\xdf\xfd\x54\xdd\x6e\x30\x60\x83\x8f\x4d\xb4\x7e\x1a\xdc\xdd\x55\xbf\xfa\x5f\x5d\x9e\x3e\x0c\xbf\xdd\xd3\xeb\xc3\x07\x11\x93\x34\x94\x80\x55\x60\x97\x04\xe3\x02\xe3\x25\xc1\x54\x2d\xec\x06\x35\xc1\x7b\x55\xca\x04\xad\x50\x12\x6e\xc6\x [...]
},
"/crd/bases/camel.apache.org_integrationplatforms.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_integrationplatforms.yaml",
modTime: time.Time{},
- uncompressedSize: 33300,
+ uncompressedSize: 33529,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5d\x5f\x73\xe3\x38\x72\x7f\xd7\xa7\xe8\x5a\x3f\xcc\x6c\x95\x44\xed\xe6\x72\xc9\x45\xa9\x54\x4a\xa7\xf1\xec\x39\x9e\xb1\x1d\x4b\x33\x9b\x7b\x5a\x43\x64\x8b\xc4\x19\x04\x18\x00\x94\x46\x97\xca\x77\x4f\xe1\x0f\x29\x4a\xe2\x3f\x79\x3c\x9b\xad\x2d\xf2\x61\xd7\x23\x02\x8d\x46\x77\xe3\xd7\xdd\x00\xba\x78\x05\x93\xd7\x7b\x46\x57\xf0\x81\x86\xc8\x15\x46\xa0\x05\xe8\x04\x61\x9e\x91\x30\x41\x58\x8a\x8d\xde\x11\x89\xf0\x5e\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5d\xdd\x73\xe3\x38\x72\x7f\xd7\x5f\xd1\xb5\x7e\x98\xd9\x2a\x89\xda\xcd\x7d\xe4\xa2\x54\x2a\xa5\xd3\x78\xf6\x1c\xcf\xd8\x8e\xa5\x99\xcd\x3d\xad\x21\xb2\x45\xe2\x0c\x02\x0c\x00\x4a\xa3\x4b\xe5\x7f\x4f\xe1\x83\x14\x25\xf1\x4b\x1e\xcf\x65\x6b\x8b\x7c\xd8\xf5\x88\x40\xa3\xd1\xdd\xe8\xfe\x35\x80\x2e\x5e\xc1\xe4\xf5\x9e\xd1\x15\x7c\xa0\x21\x72\x85\x11\x68\x01\x3a\x41\x98\x67\x24\x4c\x10\x96\x62\xa3\x77\x44\x22\xbc\x17\x [...]
},
"/crd/bases/camel.apache.org_integrations.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_integrations.yaml",
modTime: time.Time{},
- uncompressedSize: 391718,
+ uncompressedSize: 402860,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xbd\x7b\x73\x1b\x37\xf6\x28\xf8\xbf\x3f\x05\x4a\x49\x5d\x49\x13\x91\xb2\x33\x73\x53\xbf\xf1\x4e\xdd\x94\x46\x92\x13\x6d\x6c\x99\x65\x29\xc9\x4d\x39\x9e\x04\xec\x06\x49\x5c\x35\x81\x1e\x00\x4d\x89\xbf\xf5\x7e\xf7\x2d\x1c\x00\xfd\xe0\xab\x0f\x5a\xa2\xe3\xcc\x36\xa6\x6a\x62\x52\xec\xd3\x78\x1c\x9c\xf7\xe3\x0b\x32\x78\xba\xf1\xec\x0b\xf2\x9a\x27\x4c\x68\x96\x12\x23\x89\x99\x31\x72\x96\xd3\x64\xc6\xc8\x8d\x9c\x98\x7b\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xbd\x7b\x73\x1b\x37\xf6\x28\xf8\xbf\x3f\x05\x4a\x49\x5d\x49\x13\x91\xb2\x33\x73\x53\xbf\xf1\x4e\xdd\x94\x46\x92\x13\x6d\x6c\x99\x65\x29\xc9\x4d\x39\x9e\x04\xec\x06\x49\x5c\x35\x81\x1e\x00\x4d\x89\xbf\xf5\x7e\xf7\x2d\x1c\x00\xfd\xe0\xab\x0f\x5a\xa2\xe3\xcc\x36\xa6\x6a\x62\x52\xec\xd3\x78\x1c\x9c\xf7\xe3\x0b\x32\x78\xba\xf1\xec\x0b\xf2\x9a\x27\x4c\x68\x96\x12\x23\x89\x99\x31\x72\x96\xd3\x64\xc6\xc8\x8d\x9c\x98\x7b\x [...]
},
"/crd/bases/camel.apache.org_kameletbindings.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_kameletbindings.yaml",
modTime: time.Time{},
- uncompressedSize: 458195,
+ uncompressedSize: 470156,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xfd\xfd\x73\x1b\x37\xb2\x2f\x8c\xff\xee\xbf\x02\x25\xa7\xae\xa4\x13\x92\xb2\xb3\xbb\xa9\xb3\xfe\x6e\xdd\x94\x56\x96\x13\x7d\x63\xcb\x2c\x4b\x71\x6e\xca\xc9\x49\xc0\x19\x90\xc4\xd5\x10\x98\x05\x30\x94\xb8\x8f\x9f\xff\xfd\x29\x34\x80\x79\xe1\x9b\xd0\x43\x51\x51\x36\x83\x53\x75\x36\x92\x35\x3d\x18\x00\xdd\xe8\xee\x4f\xbf\x3c\x27\xfd\x87\x1b\xcf\x9e\x93\xb7\x3c\x61\x42\xb3\x94\x18\x49\xcc\x94\x91\xd3\x9c\x26\x53\x46\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xfd\xfd\x73\x1b\x37\xb2\x2f\x8c\xff\xee\xbf\x02\x25\xa7\xae\xa4\x13\x92\xb2\xb3\xbb\xa9\xb3\xfe\x6e\xdd\x94\x56\x96\x13\x7d\x63\xcb\x2c\x4b\x71\x6e\xca\xc9\x49\xc0\x19\x90\xc4\xd5\x10\x98\x05\x30\x94\xb8\x8f\x9f\xff\xfd\x29\x34\x80\x79\xe1\x9b\xd0\x43\x51\x51\x36\x83\x53\x75\x36\x92\x35\x3d\x18\x00\xdd\xe8\xee\x4f\xbf\x3c\x27\xfd\x87\x1b\xcf\x9e\x93\xb7\x3c\x61\x42\xb3\x94\x18\x49\xcc\x94\x91\xd3\x9c\x26\x53\x46\x [...]
},
"/crd/bases/camel.apache.org_kamelets.yaml": &vfsgen۰CompressedFileInfo{
name: "camel.apache.org_kamelets.yaml",
modTime: time.Time{},
- uncompressedSize: 25705,
+ uncompressedSize: 25922,
- compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5c\xff\x4f\xe3\x3a\xb6\xff\xbd\x7f\xc5\x11\x5c\x69\x18\x89\x94\x96\x02\x77\xa6\xef\x87\x11\x17\x66\x76\xfb\x2e\x17\x10\x85\xdd\x77\x1f\xcc\x4a\x6e\x72\xda\xfa\x92\xd8\x59\xdb\xa1\x74\x2f\xfc\xef\x4f\xb6\x93\x34\xa5\x4d\xe2\x96\xc2\x8e\x9e\xd6\xd2\x68\x48\x63\x1f\x9f\x6f\x3e\x3e\xb6\x3f\xce\x36\x78\x9b\x2b\x8d\x6d\x38\xa3\x3e\x32\x89\x01\x28\x0e\x6a\x8c\x70\x1c\x13\x7f\x8c\xd0\xe7\x43\x35\x21\x02\xe1\x1b\x4f\x58\x [...]
+ compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x7c\x6f\x53\xe3\x38\xb6\xf7\xfb\x7c\x8a\x53\x30\x55\x4d\x57\xe1\x90\x10\x60\xba\xf3\xbc\xe8\x62\xa0\x7b\x36\xcf\x30\x40\x11\xd8\xbd\x73\xa1\xb7\x4a\xb1\x4f\x12\x0d\xb6\xe4\x95\x64\x42\x76\xe0\xbb\xdf\x92\x64\x3b\x0e\x89\x6d\x25\x04\xb6\xeb\xd6\x55\x55\x57\xe3\x58\x3a\x3a\xff\x74\x74\x24\xfd\xe4\x6d\xf0\x36\x57\x1a\xdb\x70\x46\x7d\x64\x12\x03\x50\x1c\xd4\x18\xe1\x38\x26\xfe\x18\xa1\xcf\x87\x6a\x42\x04\xc2\x37\x9e\x [...]
},
"/manager": &vfsgen۰DirInfo{
name: "manager",
@@ -627,6 +631,7 @@ var assets = func() http.FileSystem {
fs["/crd/bases"].(os.FileInfo),
}
fs["/crd/bases"].(*vfsgen۰DirInfo).entries = []os.FileInfo{
+ fs["/crd/bases/cache"].(os.FileInfo),
fs["/crd/bases/camel.apache.org_builds.yaml"].(os.FileInfo),
fs["/crd/bases/camel.apache.org_camelcatalogs.yaml"].(os.FileInfo),
fs["/crd/bases/camel.apache.org_integrationkits.yaml"].(os.FileInfo),
diff --git a/pkg/trait/pod_test.go b/pkg/trait/pod_test.go
index 3df6ae2b0..871840d69 100755
--- a/pkg/trait/pod_test.go
+++ b/pkg/trait/pod_test.go
@@ -87,6 +87,18 @@ func TestChangeEnvVariables(t *testing.T) {
assert.Equal(t, containsEnvVariables(templateSpec, "integration", "CAMEL_K_DIGEST"), "new_value")
}
+func TestSupplementalGroup(t *testing.T) {
+ templateString := "{containers: [], securityContext: {supplementalGroups: [666]}}}"
+
+ templateSpec := testPodTemplateSpec(t, templateString)
+
+ // Check if securityContext was added
+ assert.NotNil(t, templateSpec.Spec)
+ assert.NotNil(t, templateSpec.Spec.SecurityContext)
+ assert.NotNil(t, templateSpec.Spec.SecurityContext.SupplementalGroups)
+ assert.Contains(t, templateSpec.Spec.SecurityContext.SupplementalGroups, int64(666))
+}
+
// nolint: unparam
func createPodTest(podSpecTemplate string) (*podTrait, *Environment, *appsv1.Deployment) {
trait, _ := newPodTrait().(*podTrait)
@@ -138,6 +150,9 @@ func createPodTest(podSpecTemplate string) (*podTrait, *Environment, *appsv1.Dep
},
},
},
+ SecurityContext: &corev1.PodSecurityContext{
+ SupplementalGroups: []int64{666},
+ },
},
},
},