Add SecurityContext to Pipeline/TaskRunSpec

dicarlo2 · dicarlo2 · commit b691739d9878 · 2019-05-03T16:16:27.000-07:00
diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -52,6 +52,9 @@ following fields:
   - [`affinity`] - The pod's scheduling constraints. More info:
 
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common
+    container settings. Defaults to empty. See type description for default
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -59,6 +59,9 @@ following fields:
     <https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/>
   - [`affinity`] - the pod's scheduling constraints. More info:
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common 
+    container settings. Defaults to empty. See type description for default 
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go
@@ -69,6 +69,10 @@ type PipelineRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // PipelineRunSpecStatus defines the pipelinerun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/taskrun_types.go b/pkg/apis/pipeline/v1alpha1/taskrun_types.go
@@ -65,6 +65,10 @@ type TaskRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TaskRunSpecStatus defines the taskrun spec status the user can provide
diff --git a/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go b/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go
@@ -452,11 +452,12 @@ func (c *Reconciler) createTaskRun(logger *zap.SugaredLogger, rprt *resources.Re
 			Inputs: v1alpha1.TaskRunInputs{
 				Params: rprt.PipelineTask.Params,
 			},
-			ServiceAccount: pr.Spec.ServiceAccount,
-			Timeout:        taskRunTimeout,
-			NodeSelector:   pr.Spec.NodeSelector,
-			Tolerations:    pr.Spec.Tolerations,
-			Affinity:       pr.Spec.Affinity,
+			ServiceAccount:  pr.Spec.ServiceAccount,
+			Timeout:         taskRunTimeout,
+			NodeSelector:    pr.Spec.NodeSelector,
+			Tolerations:     pr.Spec.Tolerations,
+			Affinity:        pr.Spec.Affinity,
+			SecurityContext: pr.Spec.SecurityContext,
 		}}
 
 	resources.WrapSteps(&tr.Spec, rprt.PipelineTask, rprt.ResolvedTaskResources.Inputs, rprt.ResolvedTaskResources.Outputs, storageBasePath)
diff --git a/pkg/reconciler/v1alpha1/taskrun/resources/pod.go b/pkg/reconciler/v1alpha1/taskrun/resources/pod.go
@@ -286,6 +286,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k
 			NodeSelector:       taskRun.Spec.NodeSelector,
 			Tolerations:        taskRun.Spec.Tolerations,
 			Affinity:           taskRun.Spec.Affinity,
+			SecurityContext:    taskRun.Spec.SecurityContext,
 		},
 	}, nil
 }
diff --git a/test/builder/pipeline.go b/test/builder/pipeline.go
@@ -329,6 +329,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {
 	}
 }
 
+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.
+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {
+	return func(prs *v1alpha1.PipelineRunSpec) {
+		prs.SecurityContext = securityContext
+	}
+}
+
 // PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.
 // Any number of PipelineRunStatus modifier can be passed to transform it.
 func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {
diff --git a/test/builder/task.go b/test/builder/task.go
@@ -349,6 +349,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {
 	}
 }
 
+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.
+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {
+	return func(spec *v1alpha1.TaskRunSpec) {
+		spec.SecurityContext = securityContext
+	}
+}
+
 // StateTerminated set Terminated to the StepState.
 func StateTerminated(exitcode int) StepStateOp {
 	return func(s *v1alpha1.StepState) {

Original file line number	Diff line number	Diff line change
`@@ -286,6 +286,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k`
`286`	`286`	`NodeSelector: taskRun.Spec.NodeSelector,`
`287`	`287`	`Tolerations: taskRun.Spec.Tolerations,`
`288`	`288`	`Affinity: taskRun.Spec.Affinity,`
	`289`	`+ SecurityContext: taskRun.Spec.SecurityContext,`
`289`	`290`	`},`
`290`	`291`	`}, nil`
`291`	`292`	`}`
Original file line number	Diff line number	Diff line change
`@@ -329,6 +329,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {`
`329`	`329`	`}`
`330`	`330`	`}`
`331`	`331`
	`332`	`+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.`
	`333`	`+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {`
	`334`	`+ return func(prs *v1alpha1.PipelineRunSpec) {`
	`335`	`+ prs.SecurityContext = securityContext`
	`336`	`+ }`
	`337`	`+}`
	`338`	`+`
`332`	`339`	`// PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.`
`333`	`340`	`// Any number of PipelineRunStatus modifier can be passed to transform it.`
`334`	`341`	`func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {`
Original file line number	Diff line number	Diff line change
`@@ -349,6 +349,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {`
`349`	`349`	`}`
`350`	`350`	`}`
`351`	`351`
	`352`	`+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.`
	`353`	`+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {`
	`354`	`+ return func(spec *v1alpha1.TaskRunSpec) {`
	`355`	`+ spec.SecurityContext = securityContext`
	`356`	`+ }`
	`357`	`+}`
	`358`	`+`
`352`	`359`	`// StateTerminated set Terminated to the StepState.`
`353`	`360`	`func StateTerminated(exitcode int) StepStateOp {`
`354`	`361`	`return func(s *v1alpha1.StepState) {`