You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2022/09/09 01:16:39 UTC
[airflow] branch main updated: feat(KubernetesPodOperator): Add support of container_security_context (#25530)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 4b26c8c541 feat(KubernetesPodOperator): Add support of container_security_context (#25530)
4b26c8c541 is described below
commit 4b26c8c541a720044fa96475620fc70f3ac6ccab
Author: yyvess <yy...@gmail.com>
AuthorDate: Fri Sep 9 03:16:30 2022 +0200
feat(KubernetesPodOperator): Add support of container_security_context (#25530)
---
.../cncf/kubernetes/operators/kubernetes_pod.py | 4 +++
kubernetes_tests/test_kubernetes_pod_operator.py | 36 ++++++++++++++--------
.../kubernetes/operators/test_kubernetes_pod.py | 36 ++++++++++++++++++++++
3 files changed, 64 insertions(+), 12 deletions(-)
diff --git a/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py b/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
index d474687113..7edb982fde 100644
--- a/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
+++ b/airflow/providers/cncf/kubernetes/operators/kubernetes_pod.py
@@ -129,6 +129,7 @@ class KubernetesPodOperator(BaseOperator):
:param hostnetwork: If True enable host networking on the pod.
:param tolerations: A list of kubernetes tolerations.
:param security_context: security options the pod should run with (PodSecurityContext).
+ :param container_security_context: security options the container should run with.
:param dnspolicy: dnspolicy for the pod.
:param schedulername: Specify a schedulername for the pod
:param full_pod_spec: The complete podSpec
@@ -199,6 +200,7 @@ class KubernetesPodOperator(BaseOperator):
hostnetwork: bool = False,
tolerations: Optional[List[k8s.V1Toleration]] = None,
security_context: Optional[Dict] = None,
+ container_security_context: Optional[Dict] = None,
dnspolicy: Optional[str] = None,
schedulername: Optional[str] = None,
full_pod_spec: Optional[k8s.V1Pod] = None,
@@ -270,6 +272,7 @@ class KubernetesPodOperator(BaseOperator):
[convert_toleration(toleration) for toleration in tolerations] if tolerations else []
)
self.security_context = security_context or {}
+ self.container_security_context = container_security_context
self.dnspolicy = dnspolicy
self.schedulername = schedulername
self.full_pod_spec = full_pod_spec
@@ -557,6 +560,7 @@ class KubernetesPodOperator(BaseOperator):
args=self.arguments,
env=self.env_vars,
env_from=self.env_from,
+ security_context=self.container_security_context,
)
],
image_pull_secrets=self.image_pull_secrets,
diff --git a/kubernetes_tests/test_kubernetes_pod_operator.py b/kubernetes_tests/test_kubernetes_pod_operator.py
index 5b7ac664ae..97ca4a6d4b 100644
--- a/kubernetes_tests/test_kubernetes_pod_operator.py
+++ b/kubernetes_tests/test_kubernetes_pod_operator.py
@@ -482,11 +482,7 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
assert self.expected_pod == actual_pod
def test_run_as_user_root(self):
- security_context = {
- 'securityContext': {
- 'runAsUser': 0,
- }
- }
+ security_context = {'runAsUser': 0}
k = KubernetesPodOperator(
namespace='default',
image="ubuntu:16.04",
@@ -507,11 +503,8 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
def test_run_as_user_non_root(self):
security_context = {
- 'securityContext': {
- 'runAsUser': 1000,
- }
+ 'runAsUser': 1000,
}
-
k = KubernetesPodOperator(
namespace='default',
image="ubuntu:16.04",
@@ -530,11 +523,30 @@ class TestKubernetesPodOperatorSystem(unittest.TestCase):
self.expected_pod['spec']['securityContext'] = security_context
assert self.expected_pod == actual_pod
+ def test_disable_privilege_escalation(self):
+ container_security_context = {'allowPrivilegeEscalation': False}
+
+ k = KubernetesPodOperator(
+ namespace='default',
+ image="ubuntu:16.04",
+ cmds=["bash", "-cx"],
+ arguments=["echo 10"],
+ labels={"foo": "bar"},
+ name="test-" + str(random.randint(0, 1000000)),
+ task_id="task" + self.get_current_task_name(),
+ in_cluster=False,
+ do_xcom_push=False,
+ container_security_context=container_security_context,
+ )
+ context = create_context(k)
+ k.execute(context)
+ actual_pod = self.api_client.sanitize_for_serialization(k.pod)
+ self.expected_pod['spec']['containers'][0]['securityContext'] = container_security_context
+ assert self.expected_pod == actual_pod
+
def test_fs_group(self):
security_context = {
- 'securityContext': {
- 'fsGroup': 1000,
- }
+ 'fsGroup': 1000,
}
k = KubernetesPodOperator(
diff --git a/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py b/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
index 2678065994..b547cc108b 100644
--- a/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
+++ b/tests/providers/cncf/kubernetes/operators/test_kubernetes_pod.py
@@ -152,6 +152,42 @@ class TestKubernetesPodOperator:
assert k.env_vars[0].value == "footemplated"
assert k.env_vars[0].name == "bartemplated"
+ def test_security_context(self):
+ security_context = {
+ 'runAsUser': 1245,
+ }
+ k = KubernetesPodOperator(
+ namespace="default",
+ image="ubuntu:16.04",
+ cmds=["bash", "-cx"],
+ arguments=["echo 10"],
+ security_context=security_context,
+ labels={"foo": "bar"},
+ name="test",
+ task_id="task",
+ in_cluster=False,
+ do_xcom_push=False,
+ )
+ pod = self.run_pod(k)
+ assert pod.spec.security_context == security_context
+
+ def test_container_security_context(self):
+ container_security_context = {'allowPrivilegeEscalation': False}
+ k = KubernetesPodOperator(
+ namespace="default",
+ image="ubuntu:16.04",
+ cmds=["bash", "-cx"],
+ arguments=["echo 10"],
+ container_security_context=container_security_context,
+ labels={"foo": "bar"},
+ name="test",
+ task_id="task",
+ in_cluster=False,
+ do_xcom_push=False,
+ )
+ pod = self.run_pod(k)
+ assert pod.spec.containers[0].security_context == container_security_context
+
def test_envs_from_configmaps(
self,
):