Skip to content

Commit

Permalink
krb5: set security context on pod level
Browse files Browse the repository at this point in the history
  • Loading branch information
@alintulu
alintulu committed Jul 1, 2020
1 parent 18852b4 commit 04042bf
Showing 1 changed file with 6 additions and 7 deletions.
13 changes: 6 additions & 7 deletions reana_job_controller/kubernetes_job_manager.py
View file
Expand Up @@ -151,10 +151,6 @@ def execute(self):
secrets_volume_mount = secrets_store.get_secrets_volume_mount_as_k8s_spec()
job_spec["containers"][0]["volumeMounts"].append(secrets_volume_mount)

job_spec["containers"][0]["securityContext"] = client.V1PodSecurityContext(
run_as_group=WORKFLOW_RUNTIME_USER_GID, run_as_user=self.kubernetes_uid
)

if self.env_vars:
for var, value in self.env_vars.items():
job_spec["containers"][0]["env"].append({"name": var, "value": value})
Expand Down Expand Up @@ -184,6 +180,12 @@ def execute(self):
)
job_spec["volumes"].append(volume)

self.job["spec"]["template"]["spec"][
"securityContext"
] = client.V1PodSecurityContext(
run_as_group=WORKFLOW_RUNTIME_USER_GID, run_as_user=self.kubernetes_uid
)

if self.kerberos:
self._add_krb5_init_container(secrets_volume_mount)

Expand Down Expand Up @@ -311,9 +313,6 @@ def _add_krb5_init_container(self, secrets_volume_mount):
"name": current_app.config["KRB5_CONTAINER_NAME"],
"imagePullPolicy": "IfNotPresent",
"volumeMounts": [secrets_volume_mount] + volume_mounts,
"security_context": client.V1PodSecurityContext(
run_as_group=WORKFLOW_RUNTIME_USER_GID, run_as_user=self.kubernetes_uid
),
}

self.job["spec"]["template"]["spec"]["volumes"].extend(
Expand Down

0 comments on commit 04042bf

Please sign in to comment.