diff options
author | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> | 2018-05-05 19:06:06 +0100 |
---|---|---|
committer | Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com> | 2018-06-14 07:15:29 +0000 |
commit | 3b43905b749b65bd229db8f3f1ce10c29f9b9e37 (patch) | |
tree | 652d7fb7a64faebbe3ce51d0a4496ce3ebdc99a5 /yardstick/orchestrator | |
parent | 34292694f596561de9c78f0feb663ffa5de0dc2d (diff) |
Add "securityContext" parameter in Kubernetes context
This new parameter, "securityContext", will allow the user to define the
privilege and access control settings for a pod or a container [1].
Example of "securityContext" definition in the pod (if only one container
is defined):
context:
type: Kubernetes
servers:
host:
image: ...
securityContext:
runAsUser: 1000
fsGroup: 2000
Example of "securityContext" definition in the pod and the container (if
several containers are defined):
context:
type: Kubernetes
servers:
host:
securityContext:
runAsUser: 1000
fsGroup: 2000
containers:
- image: ...
securityContext:
allowPrivilegeEscalation: false
- image: ...
[1] https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
JIRA: YARDSTICK-1156
Change-Id: I597a300c68cd834522a284b1cca0faa918493342
Signed-off-by: Rodolfo Alonso Hernandez <rodolfo.alonso.hernandez@intel.com>
Diffstat (limited to 'yardstick/orchestrator')
-rw-r--r-- | yardstick/orchestrator/kubernetes.py | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/yardstick/orchestrator/kubernetes.py b/yardstick/orchestrator/kubernetes.py index 8ccb98853..25adff7d4 100644 --- a/yardstick/orchestrator/kubernetes.py +++ b/yardstick/orchestrator/kubernetes.py @@ -27,6 +27,7 @@ class ContainerObject(object): self._command = [kwargs.get('command', self.COMMAND_DEFAULT)] self._args = kwargs.get('args', []) self._volume_mounts = kwargs.get('volumeMounts', []) + self._security_context = kwargs.get('securityContext') def _create_volume_mounts(self): """Return all "volumeMounts" items per container""" @@ -47,11 +48,14 @@ class ContainerObject(object): def get_container_item(self): """Create a "container" item""" container_name = '{}-container'.format(self._name) - return {'args': self._args, - 'command': self._command, - 'image': self._image, - 'name': container_name, - 'volumeMounts': self._create_volume_mounts()} + container = {'args': self._args, + 'command': self._command, + 'image': self._image, + 'name': container_name, + 'volumeMounts': self._create_volume_mounts()} + if self._security_context: + container['securityContext'] = self._security_context + return container class KubernetesObject(object): @@ -65,6 +69,7 @@ class KubernetesObject(object): self.node_selector = parameters.pop('nodeSelector', {}) self.ssh_key = parameters.pop('ssh_key', self.SSHKEY_DEFAULT) self._volumes = parameters.pop('volumes', []) + self._security_context = parameters.pop('securityContext', None) containers = parameters.pop('containers', None) if containers: @@ -102,6 +107,7 @@ class KubernetesObject(object): self._add_containers() self._add_node_selector() self._add_volumes() + self._add_security_context() def get_template(self): return self.template @@ -153,6 +159,12 @@ class KubernetesObject(object): return {'name': name, type_name: type_data} + def _add_security_context(self): + if self._security_context: + utils.set_dict_value(self.template, + 'spec.template.spec.securityContext', + self._security_context) + class ServiceObject(object): |