Fix RunAsGroup.

2025-07-23 19:56:01 +00:00 · 2018-07-06 15:42:26 -07:00 · 2018-07-06 15:42:26 -07:00 · 3193a4a469
commit 3193a4a469
parent 5114d4e0b0
3 changed files with 16 additions and 2 deletions
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
@ -64,6 +64,8 @@ func TestGenerateContainerConfig(t *testing.T) {
 	_, imageService, m, err := createTestRuntimeManager()
 	assert.NoError(t, err)

+	runAsUser := int64(1000)
+	runAsGroup := int64(2000)
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			UID:       "12345678",
@ -78,6 +80,10 @@ func TestGenerateContainerConfig(t *testing.T) {
 					ImagePullPolicy: v1.PullIfNotPresent,
 					Command:         []string{"testCommand"},
 					WorkingDir:      "testWorkingDir",
+					SecurityContext: &v1.SecurityContext{
+						RunAsUser:  &runAsUser,
+						RunAsGroup: &runAsGroup,
+					},
 				},
 			},
 		},
@ -87,8 +93,10 @@ func TestGenerateContainerConfig(t *testing.T) {
 	containerConfig, _, err := m.generateContainerConfig(&pod.Spec.Containers[0], pod, 0, "", pod.Spec.Containers[0].Image, kubecontainer.ContainerTypeRegular)
 	assert.NoError(t, err)
 	assert.Equal(t, expectedConfig, containerConfig, "generate container config for kubelet runtime v1.")
+	assert.Equal(t, runAsUser, containerConfig.GetLinux().GetSecurityContext().GetRunAsUser().GetValue(), "RunAsUser should be set")
+	assert.Equal(t, runAsGroup, containerConfig.GetLinux().GetSecurityContext().GetRunAsGroup().GetValue(), "RunAsGroup should be set")

-	runAsUser := int64(0)
+	runAsRoot := int64(0)
 	runAsNonRootTrue := true
 	podWithContainerSecurityContext := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@ -106,7 +114,7 @@ func TestGenerateContainerConfig(t *testing.T) {
 					WorkingDir:      "testWorkingDir",
 					SecurityContext: &v1.SecurityContext{
 						RunAsNonRoot: &runAsNonRootTrue,
-						RunAsUser:    &runAsUser,
+						RunAsUser:    &runAsRoot,
 					},
 				},
 			},
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -152,6 +152,9 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
 		if sc.RunAsUser != nil {
 			lc.SecurityContext.RunAsUser = &runtimeapi.Int64Value{Value: int64(*sc.RunAsUser)}
 		}
+		if sc.RunAsGroup != nil {
+			lc.SecurityContext.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*sc.RunAsGroup)}
+		}
 		lc.SecurityContext.NamespaceOptions = namespacesForPod(pod)

 		if sc.FSGroup != nil {
--- a/pkg/kubelet/kuberuntime/security_context.go
+++ b/pkg/kubelet/kuberuntime/security_context.go
@ -108,6 +108,9 @@ func convertToRuntimeSecurityContext(securityContext *v1.SecurityContext) *runti
 	if securityContext.RunAsUser != nil {
 		sc.RunAsUser = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsUser)}
 	}
+	if securityContext.RunAsGroup != nil {
+		sc.RunAsGroup = &runtimeapi.Int64Value{Value: int64(*securityContext.RunAsGroup)}
+	}
 	if securityContext.Privileged != nil {
 		sc.Privileged = *securityContext.Privileged
 	}