From aa8580ce3274e3db4dbae666f55ced2a2d41ed14 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Wed, 25 Jan 2023 10:42:21 -0800 Subject: [PATCH] Add support for privileged containers To allow users to run docker-in-docker style workloads on k8s and openshift clusters, add support for adding the privileged flag to containers created in k8s and openshift pods. Change-Id: I349d61bf200d7fb6d1effe112f7505815b06e9a8 --- doc/source/kubernetes.rst | 7 +++++++ doc/source/openshift-pods.rst | 6 ++++++ doc/source/openshift.rst | 8 ++++++++ nodepool/driver/kubernetes/config.py | 2 ++ nodepool/driver/kubernetes/provider.py | 5 +++++ nodepool/driver/openshift/config.py | 2 ++ nodepool/driver/openshift/provider.py | 5 +++++ nodepool/driver/openshiftpods/config.py | 3 ++- nodepool/tests/fixtures/config_validate/good.yaml | 2 ++ releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml | 4 ++++ 10 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml diff --git a/doc/source/kubernetes.rst b/doc/source/kubernetes.rst index 3f569841e..d70854bb5 100644 --- a/doc/source/kubernetes.rst +++ b/doc/source/kubernetes.rst @@ -262,3 +262,10 @@ Selecting the kubernetes driver adds the following options to the A map of key-value pairs to ensure the Kubernetes scheduler places the Pod on a node with specific node labels. + .. attr:: privileged + :type: bool + + Only used by the + :value:`providers.[kubernetes].pools.labels.type.pod` + label type. Sets the `securityContext.privileged` flag on + the container. Normally left unset for the Kubernetes default. diff --git a/doc/source/openshift-pods.rst b/doc/source/openshift-pods.rst index 7168ee550..96ea78c5a 100644 --- a/doc/source/openshift-pods.rst +++ b/doc/source/openshift-pods.rst @@ -181,3 +181,9 @@ Selecting the openshift pods driver adds the following options to the A map of key-value pairs to ensure the OpenShift scheduler places the Pod on a node with specific node labels. + + .. attr:: privileged + :type: bool + + Sets the `securityContext.privileged` flag on the + container. Normally left unset for the OpenShift default. diff --git a/doc/source/openshift.rst b/doc/source/openshift.rst index 8494853c5..34ea028bf 100644 --- a/doc/source/openshift.rst +++ b/doc/source/openshift.rst @@ -225,3 +225,11 @@ Selecting the openshift driver adds the following options to the :value:`providers.[openshift].pools.labels.type.pod` label type; A map of key-value pairs to ensure the OpenShift scheduler places the Pod on a node with specific node labels. + + .. attr:: privileged + :type: bool + + Only used by the + :value:`providers.[openshift].pools.labels.type.pod` + label type. Sets the `securityContext.privileged` flag on + the container. Normally left unset for the OpenShift default. diff --git a/nodepool/driver/kubernetes/config.py b/nodepool/driver/kubernetes/config.py index d84160cb6..3cb71860c 100644 --- a/nodepool/driver/kubernetes/config.py +++ b/nodepool/driver/kubernetes/config.py @@ -56,6 +56,7 @@ class KubernetesPool(ConfigPool): pl.storage = label.get('storage', self.default_label_storage) pl.env = label.get('env', []) pl.node_selector = label.get('node-selector') + pl.privileged = label.get('privileged') pl.pool = self self.labels[pl.name] = pl full_config.labels[label['name']].pools.append(self) @@ -102,6 +103,7 @@ class KubernetesProviderConfig(ProviderConfig): 'storage': int, 'env': [env_var], 'node-selector': dict, + 'privileged': bool, } pool = ConfigPool.getCommonSchemaDict() diff --git a/nodepool/driver/kubernetes/provider.py b/nodepool/driver/kubernetes/provider.py index df5bdfc72..cd7ab348b 100644 --- a/nodepool/driver/kubernetes/provider.py +++ b/nodepool/driver/kubernetes/provider.py @@ -330,6 +330,11 @@ class KubernetesProvider(Provider, QuotaSupport): if label.node_selector: spec_body['nodeSelector'] = label.node_selector + if label.privileged is not None: + container_body['securityContext'] = { + 'privileged': label.privileged, + } + pod_body = { 'apiVersion': 'v1', 'kind': 'Pod', diff --git a/nodepool/driver/openshift/config.py b/nodepool/driver/openshift/config.py index 6d2584879..34b84c40e 100644 --- a/nodepool/driver/openshift/config.py +++ b/nodepool/driver/openshift/config.py @@ -52,6 +52,7 @@ class OpenshiftPool(ConfigPool): pl.shell_type = label.get('shell-type') pl.env = label.get('env', []) pl.node_selector = label.get('node-selector') + pl.privileged = label.get('privileged') pl.pool = self self.labels[pl.name] = pl full_config.labels[label['name']].pools.append(self) @@ -99,6 +100,7 @@ class OpenshiftProviderConfig(ProviderConfig): 'shell-type': str, 'env': [env_var], 'node-selector': dict, + 'privileged': bool, } pool = ConfigPool.getCommonSchemaDict() diff --git a/nodepool/driver/openshift/provider.py b/nodepool/driver/openshift/provider.py index 3894c5c81..3a894d882 100644 --- a/nodepool/driver/openshift/provider.py +++ b/nodepool/driver/openshift/provider.py @@ -239,6 +239,11 @@ class OpenshiftProvider(Provider, QuotaSupport): if label.node_selector: spec_body['nodeSelector'] = label.node_selector + if label.privileged is not None: + container_body['securityContext'] = { + 'privileged': label.privileged, + } + pod_body = { 'apiVersion': 'v1', 'kind': 'Pod', diff --git a/nodepool/driver/openshiftpods/config.py b/nodepool/driver/openshiftpods/config.py index 2804abb33..2dfe4e59c 100644 --- a/nodepool/driver/openshiftpods/config.py +++ b/nodepool/driver/openshiftpods/config.py @@ -59,7 +59,8 @@ class OpenshiftPodsProviderConfig(OpenshiftProviderConfig): 'python-path': str, 'shell-type': str, 'env': [env_var], - 'node-selector': dict + 'node-selector': dict, + 'privileged': bool, } pool = ConfigPool.getCommonSchemaDict() diff --git a/nodepool/tests/fixtures/config_validate/good.yaml b/nodepool/tests/fixtures/config_validate/good.yaml index 248a93ab0..daf7573ed 100644 --- a/nodepool/tests/fixtures/config_validate/good.yaml +++ b/nodepool/tests/fixtures/config_validate/good.yaml @@ -157,6 +157,7 @@ providers: value: world node-selector: storageType: ssd + privileged: true - name: openshift driver: openshift @@ -179,6 +180,7 @@ providers: value: world node-selector: storageType: ssd + privileged: true - name: ec2-us-east-2 driver: aws diff --git a/releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml b/releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml new file mode 100644 index 000000000..079747a0a --- /dev/null +++ b/releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added support for privileged pods in Kubernetes and OpenShift drivers via :attr:`providers.[kubernetes].pools.labels.privileged`, :attr:`providers.[openshift].pools.labels.privileged`, and :attr:`providers.[openshiftpods].pools.labels.privileged`.