Add SecurityContext to Pipeline/TaskRunSpec

dicarlo2 · dicarlo2 · commit 99a02b863850 · 2019-05-22T07:45:36.000-07:00
diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -51,6 +51,9 @@ following fields:
   - [`affinity`] - The pod's scheduling constraints. More info:
 
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common
+    container settings. Defaults to empty. See type description for default
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -60,6 +60,9 @@ following fields:
     <https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/>
   - [`affinity`] - the pod's scheduling constraints. More info:
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common 
+    container settings. Defaults to empty. See type description for default 
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go
@@ -68,6 +68,10 @@ type PipelineRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // PipelineRunSpecStatus defines the pipelinerun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/taskrun_types.go b/pkg/apis/pipeline/v1alpha1/taskrun_types.go
@@ -64,6 +64,10 @@ type TaskRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TaskRunSpecStatus defines the taskrun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go b/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go
@@ -481,11 +481,12 @@ func (c *Reconciler) createTaskRun(logger *zap.SugaredLogger, rprt *resources.Re
 			Inputs: v1alpha1.TaskRunInputs{
 				Params: rprt.PipelineTask.Params,
 			},
-			ServiceAccount: pr.Spec.ServiceAccount,
-			Timeout:        taskRunTimeout,
-			NodeSelector:   pr.Spec.NodeSelector,
-			Tolerations:    pr.Spec.Tolerations,
-			Affinity:       pr.Spec.Affinity,
+			ServiceAccount:  pr.Spec.ServiceAccount,
+			Timeout:         taskRunTimeout,
+			NodeSelector:    pr.Spec.NodeSelector,
+			Tolerations:     pr.Spec.Tolerations,
+			Affinity:        pr.Spec.Affinity,
+			SecurityContext: pr.Spec.SecurityContext,
 		}}
 
 	resources.WrapSteps(&tr.Spec, rprt.PipelineTask, rprt.ResolvedTaskResources.Inputs, rprt.ResolvedTaskResources.Outputs, storageBasePath)
diff --git a/pkg/reconciler/v1alpha1/taskrun/resources/pod.go b/pkg/reconciler/v1alpha1/taskrun/resources/pod.go
@@ -341,6 +341,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k
 			NodeSelector:       taskRun.Spec.NodeSelector,
 			Tolerations:        taskRun.Spec.Tolerations,
 			Affinity:           taskRun.Spec.Affinity,
+			SecurityContext:    taskRun.Spec.SecurityContext,
 		},
 	}, nil
 }
diff --git a/test/builder/pipeline.go b/test/builder/pipeline.go
@@ -338,6 +338,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {
 	}
 }
 
+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.
+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {
+	return func(prs *v1alpha1.PipelineRunSpec) {
+		prs.SecurityContext = securityContext
+	}
+}
+
 // PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.
 // Any number of PipelineRunStatus modifier can be passed to transform it.
 func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {
diff --git a/test/builder/task.go b/test/builder/task.go
@@ -355,6 +355,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {
 	}
 }
 
+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.
+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {
+	return func(spec *v1alpha1.TaskRunSpec) {
+		spec.SecurityContext = securityContext
+	}
+}
+
 // StateTerminated set Terminated to the StepState.
 func StateTerminated(exitcode int) StepStateOp {
 	return func(s *v1alpha1.StepState) {

Original file line number	Diff line number	Diff line change
`@@ -341,6 +341,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k`
`341`	`341`	`NodeSelector: taskRun.Spec.NodeSelector,`
`342`	`342`	`Tolerations: taskRun.Spec.Tolerations,`
`343`	`343`	`Affinity: taskRun.Spec.Affinity,`
	`344`	`+ SecurityContext: taskRun.Spec.SecurityContext,`
`344`	`345`	`},`
`345`	`346`	`}, nil`
`346`	`347`	`}`
Original file line number	Diff line number	Diff line change
`@@ -338,6 +338,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {`
`338`	`338`	`}`
`339`	`339`	`}`
`340`	`340`
	`341`	`+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.`
	`342`	`+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {`
	`343`	`+ return func(prs *v1alpha1.PipelineRunSpec) {`
	`344`	`+ prs.SecurityContext = securityContext`
	`345`	`+ }`
	`346`	`+}`
	`347`	`+`
`341`	`348`	`// PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.`
`342`	`349`	`// Any number of PipelineRunStatus modifier can be passed to transform it.`
`343`	`350`	`func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {`
Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {`
`355`	`355`	`}`
`356`	`356`	`}`
`357`	`357`
	`358`	`+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.`
	`359`	`+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {`
	`360`	`+ return func(spec *v1alpha1.TaskRunSpec) {`
	`361`	`+ spec.SecurityContext = securityContext`
	`362`	`+ }`
	`363`	`+}`
	`364`	`+`
`358`	`365`	`// StateTerminated set Terminated to the StepState.`
`359`	`366`	`func StateTerminated(exitcode int) StepStateOp {`
`360`	`367`	`return func(s *v1alpha1.StepState) {`