Merge pull request #218 from microsoft/saulparedes/support_cron_job

genpolicy: add support for cron jobs

src/tools/genpolicy/policy_samples.json

@@ -3,6 +3,7 @@
                 "configmap/pod-cm1.yaml",
                 "configmap/pod-cm2.yaml",
                 "configmap/pod-cm3.yaml",
+                "cron-job/test-cron-job.yaml",
                 "deployment/deployment-azure-vote-back.yaml",
                 "deployment/deployment-azure-vote-front.yaml",
                 "deployment/deployment-busybox.yaml",
@@ -79,4 +80,4 @@
                 "mcr.microsoft.com/azurelinux/base/nginx:1.25",
                 "mcr.microsoft.com/mirror/docker/library/ubuntu:noble"
         ]
-}
+}

src/tools/genpolicy/src/cronjob.rs

@@ -0,0 +1,155 @@
+// Copyright (c) 2024 Microsoft Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+// Allow K8s YAML field names.
+#![allow(non_snake_case)]
+
+use crate::agent;
+use crate::job;
+use crate::obj_meta;
+use crate::pod;
+use crate::policy;
+use crate::pvc;
+use crate::settings;
+use crate::utils::Config;
+use crate::yaml;
+
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use std::collections::BTreeMap;
+
+/// See Reference / Kubernetes API / Workload Resources / CronJob.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct CronJob {
+    apiVersion: String,
+    kind: String,
+    metadata: obj_meta::ObjectMeta,
+    spec: CronJobSpec,
+    #[serde(skip)]
+    doc_mapping: serde_yaml::Value,
+}
+
+/// See Reference / Kubernetes API / Workload Resources / CronJob.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct CronJobSpec {
+    jobTemplate: JobTemplateSpec,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    concurrencyPolicy: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    failedJobsHistoryLimit: Option<i32>,
+
+    schedule: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    startingDeadlineSeconds: Option<i32>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    successfulJobsHistoryLimit: Option<i32>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    suspend: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    timeZone: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    backoffLimit: Option<i32>,
+    // TODO: additional fields.
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct JobTemplateSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    metadata: Option<obj_meta::ObjectMeta>,
+    spec: job::JobSpec,
+}
+
+#[async_trait]
+impl yaml::K8sResource for CronJob {
+    async fn init(
+        &mut self,
+        config: &Config,
+        doc_mapping: &serde_yaml::Value,
+        _silent_unsupported_fields: bool,
+    ) {
+        yaml::k8s_resource_init(&mut self.spec.jobTemplate.spec.template.spec, config).await;
+        self.doc_mapping = doc_mapping.clone();
+    }
+
+    fn get_sandbox_name(&self) -> Option<String> {
+        None
+    }
+
+    fn get_namespace(&self) -> Option<String> {
+        self.metadata.get_namespace()
+    }
+
+    fn get_container_mounts_and_storages(
+        &self,
+        policy_mounts: &mut Vec<policy::KataMount>,
+        storages: &mut Vec<agent::Storage>,
+        persistent_volume_claims: &[pvc::PersistentVolumeClaim],
+        container: &pod::Container,
+        settings: &settings::Settings,
+    ) {
+        if let Some(volumes) = &self.spec.jobTemplate.spec.template.spec.volumes {
+            yaml::get_container_mounts_and_storages(
+                policy_mounts,
+                storages,
+                persistent_volume_claims,
+                container,
+                settings,
+                volumes,
+            );
+        }
+    }
+
+    fn generate_policy(&self, agent_policy: &policy::AgentPolicy) -> String {
+        agent_policy.generate_policy(self)
+    }
+
+    fn serialize(&mut self, policy: &str) -> String {
+        yaml::add_policy_annotation(
+            &mut self.doc_mapping,
+            "spec.jobTemplate.spec.template",
+            policy,
+        );
+        serde_yaml::to_string(&self.doc_mapping).unwrap()
+    }
+
+    fn get_containers(&self) -> &Vec<pod::Container> {
+        &self.spec.jobTemplate.spec.template.spec.containers
+    }
+
+    fn get_annotations(&self) -> &Option<BTreeMap<String, String>> {
+        if let Some(metadata) = &self.spec.jobTemplate.spec.template.metadata {
+            return &metadata.annotations;
+        }
+        &None
+    }
+
+    fn use_host_network(&self) -> bool {
+        if let Some(host_network) = self.spec.jobTemplate.spec.template.spec.hostNetwork {
+            return host_network;
+        }
+        false
+    }
+
+    fn use_sandbox_pidns(&self) -> bool {
+        if let Some(shared) = self
+            .spec
+            .jobTemplate
+            .spec
+            .template
+            .spec
+            .shareProcessNamespace
+        {
+            return shared;
+        }
+        false
+    }
+}

src/tools/genpolicy/src/job.rs

@@ -35,7 +35,7 @@ pub struct Job {
 /// See Reference / Kubernetes API / Workload Resources / Job.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct JobSpec {
-    template: pod_template::PodTemplateSpec,
+    pub template: pod_template::PodTemplateSpec,
 
     #[serde(skip_serializing_if = "Option::is_none")]
     backoffLimit: Option<i32>,

src/tools/genpolicy/src/main.rs

@@ -8,6 +8,7 @@ use log::{debug, info};
 mod agent;
 mod config_map;
 mod containerd;
+mod cronjob;
 mod daemon_set;
 mod deployment;
 mod job;

src/tools/genpolicy/src/yaml.rs

@@ -8,6 +8,7 @@
 
 use crate::agent;
 use crate::config_map;
+use crate::cronjob;
 use crate::daemon_set;
 use crate::deployment;
 use crate::job;
@@ -139,6 +140,14 @@ pub fn new_k8s_resource(
             debug!("{:#?}", &job);
             Ok((boxed::Box::new(job), header.kind))
         }
+        "CronJob" => {
+            let cronJob: cronjob::CronJob = serde_ignored::deserialize(d, |path| {
+                handle_unused_field(&path.to_string(), silent_unsupported_fields);
+            })
+            .unwrap();
+            debug!("{:#?}", &cronJob);
+            Ok((boxed::Box::new(cronJob), header.kind))
+        }
         "List" => {
             let list: list::List = serde_ignored::deserialize(d, |path| {
                 handle_unused_field(&path.to_string(), silent_unsupported_fields);