You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2022/09/09 01:16:39 UTC

[airflow] branch main updated: feat(KubernetesPodOperator): Add support of container_security_context (#25530)

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 4b26c8c541 feat(KubernetesPodOperator): Add support of container_security_context (#25530)
4b26c8c541 is described below

commit 4b26c8c541a720044fa96475620fc70f3ac6ccab
Author: yyvess <yy...@gmail.com>
AuthorDate: Fri Sep 9 03:16:30 2022 +0200

    feat(KubernetesPodOperator): Add support of container_security_context (#25530)
---
 .../cncf/kubernetes/operators/kubernetes_pod.py    |  4 +++
 kubernetes_tests/test_kubernetes_pod_operator.py   | 36 ++++++++++++++--------
 .../kubernetes/operators/test_kubernetes_pod.py    | 36 ++++++++++++++++++++++
 3 files changed, 64 insertions(+), 12 deletions(-)

diff --git a/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py b/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
index d474687113..7edb982fde 100644
--- a/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
+++ b/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
@@ -129,6 +129,7 @@ class KubernetesPodOperator(BaseOperator):
     :param hostnetwork: If True enable host networking on the pod.
     :param tolerations: A list of kubernetes tolerations.
     :param security_context: security options the pod should run with (PodSecurityContext).
+    :param container_security_context: security options the container should run with.
     :param dnspolicy: dnspolicy for the pod.
     :param schedulername: Specify a schedulername for the pod
     :param full_pod_spec: The complete podSpec
@@ -199,6 +200,7 @@ class KubernetesPodOperator(BaseOperator):
         hostnetwork: bool = False,
         tolerations: Optional[List[k8s.V1Toleration]] = None,
         security_context: Optional[Dict] = None,
+        container_security_context: Optional[Dict] = None,
         dnspolicy: Optional[str] = None,
         schedulername: Optional[str] = None,
         full_pod_spec: Optional[k8s.V1Pod] = None,
@@ -270,6 +272,7 @@ class KubernetesPodOperator(BaseOperator):
             [convert_toleration(toleration) for toleration in tolerations] if tolerations else []
         )
         self.security_context = security_context or {}
+        self.container_security_context = container_security_context
         self.dnspolicy = dnspolicy
         self.schedulername = schedulername
         self.full_pod_spec = full_pod_spec
@@ -557,6 +560,7 @@ class KubernetesPodOperator(BaseOperator):
                         args=self.arguments,
                         env=self.env_vars,
                         env_from=self.env_from,
+                        security_context=self.container_security_context,
                     )
                 ],
                 image_pull_secrets=self.image_pull_secrets,
diff --git a/kubernetes_tests/test_kubernetes_pod_operator.py b/kubernetes_tests/test_kubernetes_pod_operator.py
index 5b7ac664ae..97ca4a6d4b 100644
--- a/kubernetes_tests/test_kubernetes_pod_operator.py
+++ b/kubernetes_tests/test_kubernetes_pod_operator.py
@@ -482,11 +482,7 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
             assert self.expected_pod == actual_pod
 
     def test_run_as_user_root(self):
-        security_context = {
-            'securityContext': {
-                'runAsUser': 0,
-            }
-        }
+        security_context = {'runAsUser': 0}
         k = KubernetesPodOperator(
             namespace='default',
             image="ubuntu:16.04",
@@ -507,11 +503,8 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
 
     def test_run_as_user_non_root(self):
         security_context = {
-            'securityContext': {
-                'runAsUser': 1000,
-            }
+            'runAsUser': 1000,
         }
-
         k = KubernetesPodOperator(
             namespace='default',
             image="ubuntu:16.04",
@@ -530,11 +523,30 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
         self.expected_pod['spec']['securityContext'] = security_context
         assert self.expected_pod == actual_pod
 
+    def test_disable_privilege_escalation(self):
+        container_security_context = {'allowPrivilegeEscalation': False}
+
+        k = KubernetesPodOperator(
+            namespace='default',
+            image="ubuntu:16.04",
+            cmds=["bash", "-cx"],
+            arguments=["echo 10"],
+            labels={"foo": "bar"},
+            name="test-" + str(random.randint(0, 1000000)),
+            task_id="task" + self.get_current_task_name(),
+            in_cluster=False,
+            do_xcom_push=False,
+            container_security_context=container_security_context,
+        )
+        context = create_context(k)
+        k.execute(context)
+        actual_pod = self.api_client.sanitize_for_serialization(k.pod)
+        self.expected_pod['spec']['containers'][0]['securityContext'] = container_security_context
+        assert self.expected_pod == actual_pod
+
     def test_fs_group(self):
         security_context = {
-            'securityContext': {
-                'fsGroup': 1000,
-            }
+            'fsGroup': 1000,
         }
 
         k = KubernetesPodOperator(
diff --git a/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py b/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
index 2678065994..b547cc108b 100644
--- a/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
+++ b/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
@@ -152,6 +152,42 @@ class TestKubernetesPodOperator:
         assert k.env_vars[0].value == "footemplated"
         assert k.env_vars[0].name == "bartemplated"
 
+    def test_security_context(self):
+        security_context = {
+            'runAsUser': 1245,
+        }
+        k = KubernetesPodOperator(
+            namespace="default",
+            image="ubuntu:16.04",
+            cmds=["bash", "-cx"],
+            arguments=["echo 10"],
+            security_context=security_context,
+            labels={"foo": "bar"},
+            name="test",
+            task_id="task",
+            in_cluster=False,
+            do_xcom_push=False,
+        )
+        pod = self.run_pod(k)
+        assert pod.spec.security_context == security_context
+
+    def test_container_security_context(self):
+        container_security_context = {'allowPrivilegeEscalation': False}
+        k = KubernetesPodOperator(
+            namespace="default",
+            image="ubuntu:16.04",
+            cmds=["bash", "-cx"],
+            arguments=["echo 10"],
+            container_security_context=container_security_context,
+            labels={"foo": "bar"},
+            name="test",
+            task_id="task",
+            in_cluster=False,
+            do_xcom_push=False,
+        )
+        pod = self.run_pod(k)
+        assert pod.spec.containers[0].security_context == container_security_context
+
     def test_envs_from_configmaps(
         self,
     ):