From 3fe1135403069063f861ea9747f898a64a3610b1 Mon Sep 17 00:00:00 2001 From: awstools Date: Wed, 27 Mar 2024 18:31:43 +0000 Subject: [PATCH] feat(client-batch): This feature allows AWS Batch to support configuration of imagePullSecrets and allowPrivilegeEscalation for jobs running on EKS --- .../commands/DescribeJobDefinitionsCommand.ts | 7 ++++ .../src/commands/DescribeJobsCommand.ts | 7 ++++ .../commands/RegisterJobDefinitionCommand.ts | 7 ++++ clients/client-batch/src/models/models_0.ts | 32 +++++++++++++++ .../src/protocols/Aws_restJson1.ts | 9 +++++ codegen/sdk-codegen/aws-models/batch.json | 40 +++++++++++++++++++ 6 files changed, 102 insertions(+) diff --git a/clients/client-batch/src/commands/DescribeJobDefinitionsCommand.ts b/clients/client-batch/src/commands/DescribeJobDefinitionsCommand.ts index c8396089f5ed..49e4186ca7c4 100644 --- a/clients/client-batch/src/commands/DescribeJobDefinitionsCommand.ts +++ b/clients/client-batch/src/commands/DescribeJobDefinitionsCommand.ts @@ -394,6 +394,11 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti * // serviceAccountName: "STRING_VALUE", * // hostNetwork: true || false, * // dnsPolicy: "STRING_VALUE", + * // imagePullSecrets: [ // ImagePullSecrets + * // { // ImagePullSecret + * // name: "STRING_VALUE", // required + * // }, + * // ], * // containers: [ // EksContainers * // { // EksContainer * // name: "STRING_VALUE", @@ -426,6 +431,7 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti * // runAsUser: Number("long"), * // runAsGroup: Number("long"), * // privileged: true || false, + * // allowPrivilegeEscalation: true || false, * // readOnlyRootFilesystem: true || false, * // runAsNonRoot: true || false, * // }, @@ -463,6 +469,7 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti * // runAsUser: Number("long"), * // runAsGroup: Number("long"), * // privileged: true || false, + * // allowPrivilegeEscalation: true || false, * // readOnlyRootFilesystem: true || false, * // runAsNonRoot: true || false, * // }, diff --git a/clients/client-batch/src/commands/DescribeJobsCommand.ts b/clients/client-batch/src/commands/DescribeJobsCommand.ts index 766376d29288..8b8a36233190 100644 --- a/clients/client-batch/src/commands/DescribeJobsCommand.ts +++ b/clients/client-batch/src/commands/DescribeJobsCommand.ts @@ -405,6 +405,11 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad * // serviceAccountName: "STRING_VALUE", * // hostNetwork: true || false, * // dnsPolicy: "STRING_VALUE", + * // imagePullSecrets: [ // ImagePullSecrets + * // { // ImagePullSecret + * // name: "STRING_VALUE", // required + * // }, + * // ], * // containers: [ // EksContainerDetails * // { // EksContainerDetail * // name: "STRING_VALUE", @@ -439,6 +444,7 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad * // runAsUser: Number("long"), * // runAsGroup: Number("long"), * // privileged: true || false, + * // allowPrivilegeEscalation: true || false, * // readOnlyRootFilesystem: true || false, * // runAsNonRoot: true || false, * // }, @@ -478,6 +484,7 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad * // runAsUser: Number("long"), * // runAsGroup: Number("long"), * // privileged: true || false, + * // allowPrivilegeEscalation: true || false, * // readOnlyRootFilesystem: true || false, * // runAsNonRoot: true || false, * // }, diff --git a/clients/client-batch/src/commands/RegisterJobDefinitionCommand.ts b/clients/client-batch/src/commands/RegisterJobDefinitionCommand.ts index 32c12afcf2fc..c3764820e232 100644 --- a/clients/client-batch/src/commands/RegisterJobDefinitionCommand.ts +++ b/clients/client-batch/src/commands/RegisterJobDefinitionCommand.ts @@ -337,6 +337,11 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio * serviceAccountName: "STRING_VALUE", * hostNetwork: true || false, * dnsPolicy: "STRING_VALUE", + * imagePullSecrets: [ // ImagePullSecrets + * { // ImagePullSecret + * name: "STRING_VALUE", // required + * }, + * ], * containers: [ // EksContainers * { // EksContainer * name: "STRING_VALUE", @@ -369,6 +374,7 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio * runAsUser: Number("long"), * runAsGroup: Number("long"), * privileged: true || false, + * allowPrivilegeEscalation: true || false, * readOnlyRootFilesystem: true || false, * runAsNonRoot: true || false, * }, @@ -406,6 +412,7 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio * runAsUser: Number("long"), * runAsGroup: Number("long"), * privileged: true || false, + * allowPrivilegeEscalation: true || false, * readOnlyRootFilesystem: true || false, * runAsNonRoot: true || false, * }, diff --git a/clients/client-batch/src/models/models_0.ts b/clients/client-batch/src/models/models_0.ts index 144fc76de2a7..3c9c65891897 100644 --- a/clients/client-batch/src/models/models_0.ts +++ b/clients/client-batch/src/models/models_0.ts @@ -3353,6 +3353,12 @@ export interface EksContainerSecurityContext { */ privileged?: boolean; + /** + *

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process. The default value is false.

+ * @public + */ + allowPrivilegeEscalation?: boolean; + /** *

When this parameter is true, the container is given read-only access to its * root file system. The default value is false. This parameter maps to @@ -3497,6 +3503,18 @@ export interface EksContainer { securityContext?: EksContainerSecurityContext; } +/** + *

References a Kubernetes configuration resource that holds a list of secrets. These secrets help to gain access to pull an image from a private registry.

+ * @public + */ +export interface ImagePullSecret { + /** + *

Provides a unique identifier for the ImagePullSecret. This object is required when EksPodProperties$imagePullSecrets is used.

+ * @public + */ + name: string | undefined; +} + /** *

Describes and uniquely identifies Kubernetes resources. For example, the compute environment that * a pod runs in or the jobID for a job running in the pod. For more information, see @@ -3664,6 +3682,14 @@ export interface EksPodProperties { */ dnsPolicy?: string; + /** + *

References a Kubernetes secret resource. This object must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.

+ *

+ * ImagePullSecret$name is required when this object is used.

+ * @public + */ + imagePullSecrets?: ImagePullSecret[]; + /** *

The properties of the container that's used on the Amazon EKS pod.

* @public @@ -5103,6 +5129,12 @@ export interface EksPodPropertiesDetail { */ dnsPolicy?: string; + /** + *

Displays the reference pointer to the Kubernetes secret resource.

+ * @public + */ + imagePullSecrets?: ImagePullSecret[]; + /** *

The properties of the container that's used on the Amazon EKS pod.

* @public diff --git a/clients/client-batch/src/protocols/Aws_restJson1.ts b/clients/client-batch/src/protocols/Aws_restJson1.ts index d2ee36c96074..13d360dc8e0a 100644 --- a/clients/client-batch/src/protocols/Aws_restJson1.ts +++ b/clients/client-batch/src/protocols/Aws_restJson1.ts @@ -127,6 +127,7 @@ import { FairsharePolicy, FargatePlatformConfiguration, Host, + ImagePullSecret, JobDefinition, JobDependency, JobDetail, @@ -1403,6 +1404,10 @@ const se_FairsharePolicy = (input: FairsharePolicy, context: __SerdeContext): an // se_Host omitted. +// se_ImagePullSecret omitted. + +// se_ImagePullSecrets omitted. + // se_JobDependency omitted. // se_JobDependencyList omitted. @@ -1669,6 +1674,10 @@ const de_FairsharePolicy = (output: any, context: __SerdeContext): FairsharePoli // de_Host omitted. +// de_ImagePullSecret omitted. + +// de_ImagePullSecrets omitted. + /** * deserializeAws_restJson1JobDefinition */ diff --git a/codegen/sdk-codegen/aws-models/batch.json b/codegen/sdk-codegen/aws-models/batch.json index 8808ff5582be..54e06b0c1ef4 100644 --- a/codegen/sdk-codegen/aws-models/batch.json +++ b/codegen/sdk-codegen/aws-models/batch.json @@ -4220,6 +4220,12 @@ "smithy.api#documentation": "

When this parameter is true, the container is given elevated permissions on the\n host container instance. The level of permissions are similar to the root user\n permissions. The default value is false. This parameter maps to\n privileged policy in the Privileged\n pod security policies in the Kubernetes documentation.

" } }, + "allowPrivilegeEscalation": { + "target": "com.amazonaws.batch#Boolean", + "traits": { + "smithy.api#documentation": "

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process. The default value is false.

" + } + }, "readOnlyRootFilesystem": { "target": "com.amazonaws.batch#Boolean", "traits": { @@ -4362,6 +4368,12 @@ "smithy.api#documentation": "

The DNS policy for the pod. The default value is ClusterFirst. If the\n hostNetwork parameter is not specified, the default is\n ClusterFirstWithHostNet. ClusterFirst indicates that any DNS query\n that does not match the configured cluster domain suffix is forwarded to the upstream nameserver\n inherited from the node. For more information, see Pod's DNS policy in the Kubernetes documentation.

\n

Valid values: Default | ClusterFirst |\n ClusterFirstWithHostNet\n

" } }, + "imagePullSecrets": { + "target": "com.amazonaws.batch#ImagePullSecrets", + "traits": { + "smithy.api#documentation": "

References a Kubernetes secret resource. This object must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.

\n

\n ImagePullSecret$name is required when this object is used.

" + } + }, "containers": { "target": "com.amazonaws.batch#EksContainers", "traits": { @@ -4418,6 +4430,12 @@ "smithy.api#documentation": "

The DNS policy for the pod. The default value is ClusterFirst. If the\n hostNetwork parameter is not specified, the default is\n ClusterFirstWithHostNet. ClusterFirst indicates that any DNS query\n that does not match the configured cluster domain suffix is forwarded to the upstream nameserver\n inherited from the node. If no value was specified for dnsPolicy in the RegisterJobDefinition API operation, then no value will be returned for\n dnsPolicy by either of DescribeJobDefinitions\n or DescribeJobs API operations. The pod spec setting will contain either\n ClusterFirst or ClusterFirstWithHostNet, depending on the value of the\n hostNetwork parameter. For more information, see Pod's DNS policy in the Kubernetes documentation.

\n

Valid values: Default | ClusterFirst |\n ClusterFirstWithHostNet\n

" } }, + "imagePullSecrets": { + "target": "com.amazonaws.batch#ImagePullSecrets", + "traits": { + "smithy.api#documentation": "

Displays the reference pointer to the Kubernetes secret resource.

" + } + }, "containers": { "target": "com.amazonaws.batch#EksContainerDetails", "traits": { @@ -4732,6 +4750,28 @@ } } }, + "com.amazonaws.batch#ImagePullSecret": { + "type": "structure", + "members": { + "name": { + "target": "com.amazonaws.batch#String", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#documentation": "

Provides a unique identifier for the ImagePullSecret. This object is required when EksPodProperties$imagePullSecrets is used.

", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

References a Kubernetes configuration resource that holds a list of secrets. These secrets help to gain access to pull an image from a private registry.

" + } + }, + "com.amazonaws.batch#ImagePullSecrets": { + "type": "list", + "member": { + "target": "com.amazonaws.batch#ImagePullSecret" + } + }, "com.amazonaws.batch#ImageType": { "type": "string", "traits": {