From 70765fa24d569f5bd65f31b171cf899842adfc5e Mon Sep 17 00:00:00 2001 From: Lee Verberne Date: Fri, 12 Feb 2021 10:44:54 +0100 Subject: [PATCH] Allow securityContext in EphemeralContainers --- pkg/api/pod/util_test.go | 4 ++-- pkg/apis/core/types.go | 3 ++- pkg/apis/core/validation/validation.go | 1 + pkg/apis/core/validation/validation_test.go | 23 +++++++++++++-------- staging/src/k8s.io/api/core/v1/types.go | 3 ++- 5 files changed, 21 insertions(+), 13 deletions(-) diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go index a11439a5256..3124c8d6368 100644 --- a/pkg/api/pod/util_test.go +++ b/pkg/api/pod/util_test.go @@ -1359,12 +1359,12 @@ func TestDropEphemeralContainers(t *testing.T) { pod func() *api.Pod }{ { - description: "has subpaths", + description: "has ephemeral containers", hasEphemeralContainers: true, pod: podWithEphemeralContainers, }, { - description: "does not have subpaths", + description: "does not have ephemeral containers", hasEphemeralContainers: false, pod: podWithoutEphemeralContainers, }, diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go index 3fdc87977a6..bf74884bd4c 100644 --- a/pkg/apis/core/types.go +++ b/pkg/apis/core/types.go @@ -3140,7 +3140,8 @@ type EphemeralContainerCommon struct { TerminationMessagePolicy TerminationMessagePolicy // Required: Policy for pulling images for this container ImagePullPolicy PullPolicy - // SecurityContext is not allowed for ephemeral containers. + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. // +optional SecurityContext *SecurityContext diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go index c2e05ed61f0..8ca1fc97a27 100644 --- a/pkg/apis/core/validation/validation.go +++ b/pkg/apis/core/validation/validation.go @@ -85,6 +85,7 @@ var allowedEphemeralContainerFields = map[string]bool{ "TerminationMessagePath": true, "TerminationMessagePolicy": true, "ImagePullPolicy": true, + "SecurityContext": true, "Stdin": true, "StdinOnce": true, "TTY": true, diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go index d444b68b564..a440b38c0a4 100644 --- a/pkg/apis/core/validation/validation_test.go +++ b/pkg/apis/core/validation/validation_test.go @@ -5822,7 +5822,7 @@ func TestValidateEphemeralContainers(t *testing.T) { TargetContainerName: "ctr", }, }, - "All Whitelisted Fields": { + "All allowed Fields": { { EphemeralContainerCommon: core.EphemeralContainerCommon{ @@ -5848,9 +5848,14 @@ func TestValidateEphemeralContainers(t *testing.T) { TerminationMessagePath: "/dev/termination-log", TerminationMessagePolicy: "File", ImagePullPolicy: "IfNotPresent", - Stdin: true, - StdinOnce: true, - TTY: true, + SecurityContext: &core.SecurityContext{ + Capabilities: &core.Capabilities{ + Add: []core.Capability{"SYS_ADMIN"}, + }, + }, + Stdin: true, + StdinOnce: true, + TTY: true, }, }, }, @@ -5923,7 +5928,7 @@ func TestValidateEphemeralContainers(t *testing.T) { field.Error{Type: field.ErrorTypeNotFound, Field: "ephemeralContainers[0].targetContainerName"}, }, { - "Container uses non-whitelisted field: Lifecycle", + "Container uses disallowed field: Lifecycle", []core.EphemeralContainer{ { EphemeralContainerCommon: core.EphemeralContainerCommon{ @@ -5942,7 +5947,7 @@ func TestValidateEphemeralContainers(t *testing.T) { field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].lifecycle"}, }, { - "Container uses non-whitelisted field: LivenessProbe", + "Container uses disallowed field: LivenessProbe", []core.EphemeralContainer{ { EphemeralContainerCommon: core.EphemeralContainerCommon{ @@ -5962,7 +5967,7 @@ func TestValidateEphemeralContainers(t *testing.T) { field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].livenessProbe"}, }, { - "Container uses non-whitelisted field: Ports", + "Container uses disallowed field: Ports", []core.EphemeralContainer{ { EphemeralContainerCommon: core.EphemeralContainerCommon{ @@ -5979,7 +5984,7 @@ func TestValidateEphemeralContainers(t *testing.T) { field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].ports"}, }, { - "Container uses non-whitelisted field: ReadinessProbe", + "Container uses disallowed field: ReadinessProbe", []core.EphemeralContainer{ { EphemeralContainerCommon: core.EphemeralContainerCommon{ @@ -5998,7 +6003,7 @@ func TestValidateEphemeralContainers(t *testing.T) { field.Error{Type: field.ErrorTypeForbidden, Field: "ephemeralContainers[0].readinessProbe"}, }, { - "Container uses non-whitelisted field: Resources", + "Container uses disallowed field: Resources", []core.EphemeralContainer{ { EphemeralContainerCommon: core.EphemeralContainerCommon{ diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index ef4e433ac46..dd662fcf61f 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3525,7 +3525,8 @@ type EphemeralContainerCommon struct { // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images // +optional ImagePullPolicy PullPolicy `json:"imagePullPolicy,omitempty" protobuf:"bytes,14,opt,name=imagePullPolicy,casttype=PullPolicy"` - // SecurityContext is not allowed for ephemeral containers. + // Optional: SecurityContext defines the security options the ephemeral container should be run with. + // If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. // +optional SecurityContext *SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"`