Add option to run agent container as privileged (#1808)

* Add option to run agent container as privileged * fix test
metalbear-co · Aug 18, 2023 · e6d422e · e6d422e
1 parent a89700c
commit e6d422e
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 0 deletions.
diff --git a/changelog.d/1806.added.md b/changelog.d/1806.added.md
@@ -0,0 +1,2 @@
+Add option to run agent container as privileged - `"agent" : {"privileged": true}`
+Should help with Bottlerocket or other secured k8s environments.
diff --git a/mirrord-schema.json b/mirrord-schema.json
@@ -312,6 +312,14 @@
             "null"
           ]
         },
+        "privileged": {
+          "title": "agent.privileged {#agent-privileged}",
+          "description": "Run the mirror agent as privileged container. (Not applicable when using ephemeral) Defaults to `false`.\n\nMight be needed in strict environments such as Bottlerocket.",
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
         "startup_timeout": {
           "title": "agent.startup_timeout {#agent-startup_timeout}",
           "description": "Controls how long to wait for the agent to finish initialization.\n\nIf initialization takes longer than this value, mirrord exits.\n\nDefaults to `60`.",

diff --git a/mirrord/config/src/agent.rs b/mirrord/config/src/agent.rs
@@ -224,6 +224,15 @@ pub struct AgentConfig {
     #[config(default = true)]
     pub check_out_of_pods: bool,
 
+    /// ### agent.privileged {#agent-privileged}
+    ///
+    /// Run the mirror agent as privileged container. (Not applicable when using ephemeral)
+    /// Defaults to `false`.
+    ///
+    /// Might be needed in strict environments such as Bottlerocket.
+    #[config(default = false)]
+    pub privileged: bool,
+
     /// <!--${internal}-->
     /// Create an agent that returns an error after accepting the first client. For testing
     /// purposes. Only supported with job agents (not with ephemeral agents).

diff --git a/mirrord/config/src/lib.rs b/mirrord/config/src/lib.rs
@@ -626,6 +626,7 @@ mod tests {
             skip_processes: None,
             skip_build_tools: None,
             agent: Some(AgentFileConfig {
+                privileged: None,
                 log_level: Some("info".to_owned()),
                 namespace: Some("default".to_owned()),
                 image: Some("".to_owned()),

diff --git a/mirrord/kube/src/api/container.rs b/mirrord/kube/src/api/container.rs
@@ -278,6 +278,7 @@ impl ContainerApi for JobContainer {
                                 "securityContext": targeted.then(||
                                     json!({
                                         "runAsGroup": agent_gid,
+                                        "privileged": agent.privileged,
                                         "capabilities": {
                                             "add": get_capabilities(agent),
                                         }