Improve K8s securityContext support [ci fast]

This commit adds the support for custom devices and adding/removing capabilities to K8s secutiry context Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
nextflow-io · Feb 5, 2023 · 3f76240 · 3f76240
1 parent bb76dae
commit 3f76240
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 1 deletion.
diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/model/PodSpecBuilder.groovy
@@ -113,6 +113,10 @@ class PodSpecBuilder {
 
     int activeDeadlineSeconds
 
+    Map<String,List<String>> capabilities
+
+    List<String> devices
+
     /**
      * @return A sequential volume unique identifier
      */
@@ -295,6 +299,19 @@ class PodSpecBuilder {
         return this
     }
 
+    PodSpecBuilder withCapabilities(Map<String,List<String>> cap) {
+        this.capabilities = cap
+        for( String it : cap.keySet() ) {
+            if( it !in ['add','drop']) throw new IllegalArgumentException("K8s capability action can be either 'add' or 'drop' - offending value '$it'")
+        }
+        return this
+    }
+
+    PodSpecBuilder withDevices(List<String> dev) {
+        this.devices = dev
+        return this
+    }
+
     PodSpecBuilder withActiveDeadline(int seconds) {
         this.activeDeadlineSeconds = seconds
         return this
@@ -394,10 +411,20 @@ class PodSpecBuilder {
         if( imagePullPolicy )
             container.imagePullPolicy = imagePullPolicy
 
+        if( devices )
+            container.devices = devices
+
+        final secContext = new LinkedHashMap(10)
         if( privileged ) {
             // note: privileged flag needs to be defined in the *container* securityContext
             // not the 'spec' securityContext (see below)
-            container.securityContext = [ privileged: true ]
+            secContext.privileged =true
+        }
+        if( capabilities ) {
+            secContext.capabilities = capabilities
+        }
+        if( secContext ) {
+            container.securityContext = secContext
         }
 
         final spec = [

diff --git a/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy b/modules/nextflow/src/test/groovy/nextflow/k8s/model/PodSpecBuilderTest.groovy
@@ -143,6 +143,36 @@ class PodSpecBuilderTest extends Specification {
 
     }
 
+    def 'should create pod spec with device and capabilities' () {
+
+        when:
+        def spec = new PodSpecBuilder()
+                .withPodName('foo')
+                .withImageName('busybox')
+                .withCommand('echo foo')
+                .withDevices(['/dev/fuse'])
+                .withCapabilities(add:['SYS_ADMIN'])
+                .build()
+
+        then:
+        spec ==  [ apiVersion: 'v1',
+                   kind: 'Pod',
+                   metadata: [name:'foo', namespace:'default'],
+                   spec: [
+                           restartPolicy:'Never',
+                           containers:[
+                                   [name:'foo',
+                                    image:'busybox',
+                                    command:['/bin/bash', '-c', 'echo foo'],
+                                    devices: ['/dev/fuse'],
+                                    securityContext: [capabilities: [add:['SYS_ADMIN']]]
+                                   ]
+                           ]
+                   ]
+        ]
+
+    }
+
     def 'should set namespace, labels and annotations' () {
 
         when: