Add SecurityContext to Pipeline/TaskRunSpec

dicarlo2 · dicarlo2 · commit 0c55290532c8 · 2019-04-03T18:43:48.000-07:00
diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -49,6 +49,9 @@ following fields:
   - [`affinity`] - The pod's scheduling constraints. More info:
 
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common
+    container settings. Defaults to empty. See type description for default
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -56,6 +56,9 @@ following fields:
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/>
   - [`affinity`] - the pod's scheduling constraints. More info:
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common 
+    container settings. Defaults to empty. See type description for default 
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go
@@ -65,6 +65,10 @@ type PipelineRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // PipelineRunSpecStatus defines the pipelinerun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/taskrun_types.go b/pkg/apis/pipeline/v1alpha1/taskrun_types.go
@@ -62,6 +62,10 @@ type TaskRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TaskRunSpecStatus defines the taskrun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go b/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go
@@ -435,10 +435,11 @@ func (c *Reconciler) createTaskRun(logger *zap.SugaredLogger, rprt *resources.Re
 			Inputs: v1alpha1.TaskRunInputs{
 				Params: rprt.PipelineTask.Params,
 			},
-			ServiceAccount: pr.Spec.ServiceAccount,
-			Timeout:        taskRunTimeout,
-			NodeSelector:   pr.Spec.NodeSelector,
-			Affinity:       pr.Spec.Affinity,
+			ServiceAccount:  pr.Spec.ServiceAccount,
+			Timeout:         taskRunTimeout,
+			NodeSelector:    pr.Spec.NodeSelector,
+			Affinity:        pr.Spec.Affinity,
+			SecurityContext: pr.Spec.SecurityContext,
 		}}
 
 	resources.WrapSteps(&tr.Spec, rprt.PipelineTask, rprt.ResolvedTaskResources.Inputs, rprt.ResolvedTaskResources.Outputs, storageBasePath)
diff --git a/pkg/reconciler/v1alpha1/taskrun/resources/pod.go b/pkg/reconciler/v1alpha1/taskrun/resources/pod.go
@@ -248,6 +248,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k
 			Volumes:            volumes,
 			NodeSelector:       taskRun.Spec.NodeSelector,
 			Affinity:           taskRun.Spec.Affinity,
+			SecurityContext:    taskRun.Spec.SecurityContext,
 		},
 	}, nil
 }
diff --git a/test/builder/pipeline.go b/test/builder/pipeline.go
@@ -322,6 +322,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {
 	}
 }
 
+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.
+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {
+	return func(prs *v1alpha1.PipelineRunSpec) {
+		prs.SecurityContext = securityContext
+	}
+}
+
 // PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.
 // Any number of PipelineRunStatus modifier can be passed to transform it.
 func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {
diff --git a/test/builder/task.go b/test/builder/task.go
@@ -330,6 +330,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {
 	}
 }
 
+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.
+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {
+	return func(spec *v1alpha1.TaskRunSpec) {
+		spec.SecurityContext = securityContext
+	}
+}
+
 // StateTerminated set Terminated to the StepState.
 func StateTerminated(exitcode int) StepStateOp {
 	return func(s *v1alpha1.StepState) {

Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k`
`248`	`248`	`Volumes: volumes,`
`249`	`249`	`NodeSelector: taskRun.Spec.NodeSelector,`
`250`	`250`	`Affinity: taskRun.Spec.Affinity,`
	`251`	`+ SecurityContext: taskRun.Spec.SecurityContext,`
`251`	`252`	`},`
`252`	`253`	`}, nil`
`253`	`254`	`}`
Original file line number	Diff line number	Diff line change
`@@ -322,6 +322,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {`
`322`	`322`	`}`
`323`	`323`	`}`
`324`	`324`
	`325`	`+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.`
	`326`	`+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {`
	`327`	`+ return func(prs *v1alpha1.PipelineRunSpec) {`
	`328`	`+ prs.SecurityContext = securityContext`
	`329`	`+ }`
	`330`	`+}`
	`331`	`+`
`325`	`332`	`// PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.`
`326`	`333`	`// Any number of PipelineRunStatus modifier can be passed to transform it.`
`327`	`334`	`func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {`
Original file line number	Diff line number	Diff line change
`@@ -330,6 +330,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {`
`330`	`330`	`}`
`331`	`331`	`}`
`332`	`332`
	`333`	`+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.`
	`334`	`+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {`
	`335`	`+ return func(spec *v1alpha1.TaskRunSpec) {`
	`336`	`+ spec.SecurityContext = securityContext`
	`337`	`+ }`
	`338`	`+}`
	`339`	`+`
`333`	`340`	`// StateTerminated set Terminated to the StepState.`
`334`	`341`	`func StateTerminated(exitcode int) StepStateOp {`
`335`	`342`	`return func(s *v1alpha1.StepState) {`