add serviceAccount and runAsUser to kaniko build (resolves #3267)

GoogleContainerTools · Apr 16, 2020 · 43a5fad · 43a5fad
1 parent 3546d95
commit 43a5fad
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/pkg/skaffold/build/cluster/pod.go b/pkg/skaffold/build/cluster/pod.go
@@ -92,6 +92,19 @@ func (b *Builder) kanikoPodSpec(artifact *latest.KanikoArtifact, tag string) (*v
 		addSecretVolume(pod, constants.DefaultKanikoDockerConfigSecretName, constants.DefaultKanikoDockerConfigPath, b.ClusterDetails.DockerConfig.SecretName)
 	}
 
+	// Add Service Account
+	if b.ClusterDetails.ServiceAccountName != "" {
+		pod.Spec.ServiceAccountName = b.ClusterDetails.ServiceAccountName
+	}
+
+	// Add SecurityContext for runAsUser
+	if b.ClusterDetails.RunAsUser != nil {
+		if pod.Spec.SecurityContext == nil {
+			pod.Spec.SecurityContext = &v1.PodSecurityContext{}
+		}
+		pod.Spec.SecurityContext.RunAsUser = b.ClusterDetails.RunAsUser
+	}
+
 	// Add used-defines Volumes
 	pod.Spec.Volumes = append(pod.Spec.Volumes, b.Volumes...)
 

diff --git a/pkg/skaffold/build/cluster/pod_test.go b/pkg/skaffold/build/cluster/pod_test.go
@@ -180,13 +180,16 @@ func TestKanikoPodSpec(t *testing.T) {
 		},
 	}
 
+	var runAsUser int64 = 0
 	builder := &Builder{
 		ClusterDetails: &latest.ClusterDetails{
 			Namespace:           "ns",
 			PullSecretName:      "secret",
 			PullSecretMountPath: "/secret",
 			HTTPProxy:           "http://proxy",
 			HTTPSProxy:          "https://proxy",
+			ServiceAccountName:  "aVerySpecialSA",
+			RunAsUser:           &runAsUser,
 			Resources: &latest.ResourceRequirements{
 				Requests: &latest.ResourceRequirement{
 					CPU: "0.1",
@@ -305,6 +308,10 @@ func TestKanikoPodSpec(t *testing.T) {
 					},
 				},
 			}},
+			ServiceAccountName: "aVerySpecialSA",
+			SecurityContext: &v1.PodSecurityContext{
+				RunAsUser: &runAsUser,
+			},
 			RestartPolicy: v1.RestartPolicyNever,
 			Volumes: []v1.Volume{
 				{

diff --git a/pkg/skaffold/schema/latest/config.go b/pkg/skaffold/schema/latest/config.go
@@ -298,6 +298,15 @@ type ClusterDetails struct {
 	// DockerConfig describes how to mount the local Docker configuration into a pod.
 	DockerConfig *DockerConfig `yaml:"dockerConfig,omitempty"`
 
+	// ServiceAccountName describes the Kubernetes service account to use for the pod.
+	// Defaults to 'default'
+	ServiceAccountName string `yaml:"serviceAccount,omitempty"`
+
+	// RunAsUser defines the UID to request for running the container.
+	// If ommitted, no SeurityContext will be specified for the pod and will therefore be inherited
+	// from the service account
+	RunAsUser *int64 `yaml:"runAsUser,omitempty"`
+
 	// Resources define the resource requirements for the kaniko pod.
 	Resources *ResourceRequirements `yaml:"resources,omitempty"`