From 90d3bf9188ecf46bd3b021061583f42f94784c39 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Fri, 6 Dec 2024 07:26:10 +1100 Subject: [PATCH] chore: backport fsGroupChangePolicy --- .../templating/backups/template_podconfig.go | 10 ++++++ .../backups/template_podconfig_test.go | 32 ++++++++++++++++++- .../test-k8up-v1-rootless-onrootmismatch.yaml | 29 +++++++++++++++++ ...onfig1.yaml => test-k8up-v1-rootless.yaml} | 0 4 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 internal/templating/backups/test-resources/test-k8up-v1-rootless-onrootmismatch.yaml rename internal/templating/backups/test-resources/{result-podconfig1.yaml => test-k8up-v1-rootless.yaml} (100%) diff --git a/internal/templating/backups/template_podconfig.go b/internal/templating/backups/template_podconfig.go index 9edd95f8..9af78954 100644 --- a/internal/templating/backups/template_podconfig.go +++ b/internal/templating/backups/template_podconfig.go @@ -48,6 +48,16 @@ func GenerateBackupPodConfig( }, }, } + if lValues.PodSecurityContext.OnRootMismatch { + fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch + if podConfig.Spec.Template.Spec.SecurityContext != nil { + podConfig.Spec.Template.Spec.SecurityContext.FSGroupChangePolicy = &fsGroupChangePolicy + } else { + podConfig.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{ + FSGroupChangePolicy: &fsGroupChangePolicy, + } + } + } // add the default labels podConfig.ObjectMeta.Labels = map[string]string{ "app.kubernetes.io/name": "k8up-podconfig", diff --git a/internal/templating/backups/template_podconfig_test.go b/internal/templating/backups/template_podconfig_test.go index c0009071..688d1240 100644 --- a/internal/templating/backups/template_podconfig_test.go +++ b/internal/templating/backups/template_podconfig_test.go @@ -50,7 +50,37 @@ func TestGenerateBackupPodConfig(t *testing.T) { }, }, }, - want: "test-resources/result-podconfig1.yaml", + want: "test-resources/test-k8up-v1-rootless.yaml", + }, + { + name: "test-k8up-v1-rootless-onrootmismatch", + description: "this will generate a podconfig if the environment is configured for rootless workloads", + args: args{ + lValues: generator.BuildValues{ + Project: "example-project", + Environment: "environment", + EnvironmentType: "production", + Namespace: "myexample-project-environment", + BuildType: "branch", + LagoonVersion: "v2.x.x", + Kubernetes: "generator.local", + Branch: "environment", + BackupsEnabled: true, + Backup: generator.BackupConfiguration{ + K8upVersion: "v2", + }, + FeatureFlags: map[string]bool{ + "rootlessworkloads": true, + }, + PodSecurityContext: generator.PodSecurityContext{ + RunAsGroup: 0, + RunAsUser: 10000, + FsGroup: 10001, + OnRootMismatch: true, + }, + }, + }, + want: "test-resources/test-k8up-v1-rootless-onrootmismatch.yaml", }, { name: "test-k8up-v1-root", diff --git a/internal/templating/backups/test-resources/test-k8up-v1-rootless-onrootmismatch.yaml b/internal/templating/backups/test-resources/test-k8up-v1-rootless-onrootmismatch.yaml new file mode 100644 index 00000000..03dded7e --- /dev/null +++ b/internal/templating/backups/test-resources/test-k8up-v1-rootless-onrootmismatch.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: k8up.io/v1 +kind: PodConfig +metadata: + annotations: + lagoon.sh/branch: environment + lagoon.sh/version: v2.x.x + creationTimestamp: null + labels: + app.kubernetes.io/instance: k8up-rootless-workload-podconfig + app.kubernetes.io/managed-by: build-deploy-tool + app.kubernetes.io/name: k8up-podconfig + lagoon.sh/buildType: branch + lagoon.sh/environment: environment + lagoon.sh/environmentType: production + lagoon.sh/project: example-project + lagoon.sh/service: k8up-rootless-workload-podconfig + lagoon.sh/service-type: k8up-podconfig + lagoon.sh/template: k8up-podconfig-0.1.0 + name: k8up-rootless-workload-podconfig +spec: + template: + spec: + securityContext: + fsGroup: 10001 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 0 + runAsUser: 10000 +status: {} diff --git a/internal/templating/backups/test-resources/result-podconfig1.yaml b/internal/templating/backups/test-resources/test-k8up-v1-rootless.yaml similarity index 100% rename from internal/templating/backups/test-resources/result-podconfig1.yaml rename to internal/templating/backups/test-resources/test-k8up-v1-rootless.yaml