Merge "Add support for privileged containers"

2023-01-31 00:09:06 +00:00 · 2023-01-31 00:09:06 +00:00 · f399292401
commit f399292401
parent f9c670f2db aa8580ce32
10 changed files with 43 additions and 1 deletions
--- a/doc/source/kubernetes.rst
+++ b/doc/source/kubernetes.rst
@ -262,3 +262,10 @@ Selecting the kubernetes driver adds the following options to the
            A map of key-value pairs to ensure the Kubernetes scheduler
            places the Pod on a node with specific node labels.

+         .. attr:: privileged
+            :type: bool
+
+            Only used by the
+            :value:`providers.[kubernetes].pools.labels.type.pod`
+            label type.  Sets the `securityContext.privileged` flag on
+            the container.  Normally left unset for the Kubernetes default.
--- a/doc/source/openshift-pods.rst
+++ b/doc/source/openshift-pods.rst
@ -181,3 +181,9 @@ Selecting the openshift pods driver adds the following options to the

            A map of key-value pairs to ensure the OpenShift scheduler
            places the Pod on a node with specific node labels.
+
+         .. attr:: privileged
+            :type: bool
+
+            Sets the `securityContext.privileged` flag on the
+            container.  Normally left unset for the OpenShift default.
--- a/doc/source/openshift.rst
+++ b/doc/source/openshift.rst
@ -225,3 +225,11 @@ Selecting the openshift driver adds the following options to the
            :value:`providers.[openshift].pools.labels.type.pod` label type;
            A map of key-value pairs to ensure the OpenShift scheduler
            places the Pod on a node with specific node labels.
+
+         .. attr:: privileged
+            :type: bool
+
+            Only used by the
+            :value:`providers.[openshift].pools.labels.type.pod`
+            label type.  Sets the `securityContext.privileged` flag on
+            the container.  Normally left unset for the OpenShift default.
--- a/nodepool/driver/kubernetes/config.py
+++ b/nodepool/driver/kubernetes/config.py
@ -56,6 +56,7 @@ class KubernetesPool(ConfigPool):
            pl.storage = label.get('storage', self.default_label_storage)
            pl.env = label.get('env', [])
            pl.node_selector = label.get('node-selector')
+            pl.privileged = label.get('privileged')
            pl.pool = self
            self.labels[pl.name] = pl
            full_config.labels[label['name']].pools.append(self)
@ -102,6 +103,7 @@ class KubernetesProviderConfig(ProviderConfig):
            'storage': int,
            'env': [env_var],
            'node-selector': dict,
+            'privileged': bool,
        }

        pool = ConfigPool.getCommonSchemaDict()
--- a/nodepool/driver/kubernetes/provider.py
+++ b/nodepool/driver/kubernetes/provider.py
@ -330,6 +330,11 @@ class KubernetesProvider(Provider, QuotaSupport):
        if label.node_selector:
            spec_body['nodeSelector'] = label.node_selector

+        if label.privileged is not None:
+            container_body['securityContext'] = {
+                'privileged': label.privileged,
+            }
+
        pod_body = {
            'apiVersion': 'v1',
            'kind': 'Pod',
--- a/nodepool/driver/openshift/config.py
+++ b/nodepool/driver/openshift/config.py
@ -52,6 +52,7 @@ class OpenshiftPool(ConfigPool):
            pl.shell_type = label.get('shell-type')
            pl.env = label.get('env', [])
            pl.node_selector = label.get('node-selector')
+            pl.privileged = label.get('privileged')
            pl.pool = self
            self.labels[pl.name] = pl
            full_config.labels[label['name']].pools.append(self)
@ -99,6 +100,7 @@ class OpenshiftProviderConfig(ProviderConfig):
            'shell-type': str,
            'env': [env_var],
            'node-selector': dict,
+            'privileged': bool,
        }

        pool = ConfigPool.getCommonSchemaDict()
--- a/nodepool/driver/openshift/provider.py
+++ b/nodepool/driver/openshift/provider.py
@ -239,6 +239,11 @@ class OpenshiftProvider(Provider, QuotaSupport):
        if label.node_selector:
            spec_body['nodeSelector'] = label.node_selector

+        if label.privileged is not None:
+            container_body['securityContext'] = {
+                'privileged': label.privileged,
+            }
+
        pod_body = {
            'apiVersion': 'v1',
            'kind': 'Pod',
--- a/nodepool/driver/openshiftpods/config.py
+++ b/nodepool/driver/openshiftpods/config.py
@ -59,7 +59,8 @@ class OpenshiftPodsProviderConfig(OpenshiftProviderConfig):
            'python-path': str,
            'shell-type': str,
            'env': [env_var],
-            'node-selector': dict
+            'node-selector': dict,
+            'privileged': bool,
        }

        pool = ConfigPool.getCommonSchemaDict()
--- a/nodepool/tests/fixtures/config_validate/good.yaml
+++ b/nodepool/tests/fixtures/config_validate/good.yaml
@ -157,6 +157,7 @@ providers:
                value: world
            node-selector:
              storageType: ssd
+            privileged: true

  - name: openshift
    driver: openshift
@ -179,6 +180,7 @@ providers:
                value: world
            node-selector:
              storageType: ssd
+            privileged: true

  - name: ec2-us-east-2
    driver: aws
--- a/releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml
+++ b/releasenotes/notes/privileged-pods-0796d27a24b1a549.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Added support for privileged pods in Kubernetes and OpenShift drivers via :attr:`providers.[kubernetes].pools.labels.privileged`, :attr:`providers.[openshift].pools.labels.privileged`, and :attr:`providers.[openshiftpods].pools.labels.privileged`.