feat(plugins/k8s): add security_context option for on-demand runners pt2

.changelog/4346.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+plugins/k8s: Add `security_context` to the TaskLauncherConfig (on-demand runner configuration)
+```

builtin/k8s/platform.go

@@ -1529,6 +1529,7 @@ type Container struct {
 // PodSecurityContext describes the security config for the Pod
 type PodSecurityContext struct {
 	RunAsUser    *int64 `hcl:"run_as_user"`
+	RunAsGroup   *int64 `hcl:"run_as_group"`
 	RunAsNonRoot *bool  `hcl:"run_as_non_root"`
 	FsGroup      *int64 `hcl:"fs_group"`
 }

builtin/k8s/task.go

@@ -88,6 +88,9 @@ type TaskLauncherConfig struct {
 	// wordy because it's only for the WatchTask timing out waiting for the pod
 	// its watching to start up before it attempts to stream its logs.
 	WatchTaskStartupTimeoutSeconds int `hcl:"watchtask_startup_timeout_seconds,optional"`
+
+	// The PodSecurityContext to apply to the pod
+	SecurityContext *PodSecurityContext `hcl:"security_context,block"`
 }
 
 func (p *TaskLauncher) Documentation() (*docs.Documentation, error) {
@@ -379,6 +382,17 @@ func (p *TaskLauncher) StartTask(
 		}
 	}
 
+	var securityContext *corev1.PodSecurityContext = nil
+	podSc := p.config.SecurityContext
+	if podSc != nil {
+		securityContext = &corev1.PodSecurityContext{
+			RunAsUser:    podSc.RunAsUser,
+			RunAsGroup:   podSc.RunAsGroup,
+			RunAsNonRoot: podSc.RunAsNonRoot,
+			FSGroup:      podSc.FsGroup,
+		}
+	}
+
 	resourceRequirements := corev1.ResourceRequirements{
 		Limits:   resourceLimits,
 		Requests: resourceRequests,
@@ -428,6 +442,7 @@ func (p *TaskLauncher) StartTask(
 					Containers:         []corev1.Container{container},
 					ImagePullSecrets:   pullSecrets,
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
+					SecurityContext:    securityContext,
 				},
 			},
 		},

embedJson/gen/platform-kubernetes.json

@@ -632,6 +632,17 @@
                      "Category": false,
                      "SubFields": null
                   },
+                  {
+                     "Field": "run_as_group",
+                     "Type": "int64",
+                     "Synopsis": "",
+                     "Summary": "",
+                     "Optional": false,
+                     "Default": "",
+                     "EnvVar": "",
+                     "Category": false,
+                     "SubFields": null
+                  },
                   {
                      "Field": "run_as_non_root",
                      "Type": "bool",

embedJson/gen/task-kubernetes.json

@@ -129,6 +129,17 @@
          "EnvVar": "",
          "Category": false,
          "SubFields": null
+      },
+      {
+         "Field": "security_context",
+         "Type": "k8s.PodSecurityContext",
+         "Synopsis": "",
+         "Summary": "",
+         "Optional": false,
+         "Default": "",
+         "EnvVar": "",
+         "Category": false,
+         "SubFields": null
       }
    ],
    "type": "task",

website/content/partials/components/platform-kubernetes.mdx

@@ -204,6 +204,10 @@ A special supplemental group that applies to all containers in a pod.
 
 - Type: **int64**
 
+###### pod.security_context.run_as_group
+
+- Type: **int64**
+
 ###### pod.security_context.run_as_non_root
 
 Indicates that the container must run as a non-root user.

website/content/partials/components/task-kubernetes.mdx

@@ -40,6 +40,10 @@ Memory resource request to be added to the task container.
 
 - Type: **k8s.ResourceConfig**
 
+#### security_context
+
+- Type: **k8s.PodSecurityContext**
+
 ### Optional Parameters
 
 These parameters are used in the [`use` stanza](/waypoint/docs/waypoint-hcl/use) for this plugin.