From e44ed2c3b34e91430e0e3f96ea423faca4208592 Mon Sep 17 00:00:00 2001 From: Pasquale Congiusti Date: Mon, 6 May 2024 16:44:02 +0200 Subject: [PATCH] feat(trait): Pod security context Added a trait to set default Pod security context or let the user customize Closes #5287 --- docs/modules/ROOT/nav.adoc | 1 + .../ROOT/partials/apis/camel-k-crds.adoc | 68 ++++- docs/modules/traits/pages/container.adoc | 24 ++ .../traits/pages/security-context.adoc | 46 ++++ .../crds/crd-integration-platform.yaml | 96 ++++++- .../camel-k/crds/crd-integration-profile.yaml | 96 ++++++- helm/camel-k/crds/crd-integration.yaml | 48 +++- helm/camel-k/crds/crd-kamelet-binding.yaml | 47 +++- helm/camel-k/crds/crd-pipe.yaml | 47 +++- pkg/apis/camel/v1/common_types.go | 2 + pkg/apis/camel/v1/trait/container.go | 12 +- pkg/apis/camel/v1/trait/security_context.go | 34 +++ .../camel/v1/trait/zz_generated.deepcopy.go | 26 ++ pkg/apis/camel/v1/zz_generated.deepcopy.go | 5 + .../applyconfiguration/camel/v1/traits.go | 89 +++--- ...camel.apache.org_integrationplatforms.yaml | 96 ++++++- .../camel.apache.org_integrationprofiles.yaml | 96 ++++++- .../bases/camel.apache.org_integrations.yaml | 48 +++- .../camel.apache.org_kameletbindings.yaml | 47 +++- .../crd/bases/camel.apache.org_pipes.yaml | 47 +++- pkg/trait/container.go | 16 +- pkg/trait/container_test.go | 14 +- pkg/trait/security_context.go | 98 +++++++ pkg/trait/security_context_test.go | 254 ++++++++++++++++++ pkg/trait/trait_register.go | 1 + pkg/trait/trait_test.go | 4 +- 26 files changed, 1194 insertions(+), 168 deletions(-) create mode 100644 docs/modules/traits/pages/security-context.adoc create mode 100644 pkg/apis/camel/v1/trait/security_context.go create mode 100644 pkg/trait/security_context.go create mode 100644 pkg/trait/security_context_test.go diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index b5d52e5bb5..b8441accbb 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -87,6 +87,7 @@ ** xref:traits:registry.adoc[Registry] ** xref:traits:resume.adoc[Resume] ** xref:traits:route.adoc[Route] +** xref:traits:security-context.adoc[Security Context] ** xref:traits:service-binding.adoc[Service Binding] ** xref:traits:service.adoc[Service] ** xref:traits:telemetry.adoc[Telemetry] diff --git a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc index f3bc3405af..feae8d09d3 100644 --- a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc +++ b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc @@ -5948,6 +5948,13 @@ Deprecated: use jvm trait or read documentation. The configuration of Route trait +|`security-context` + +*xref:#_camel_apache_org_v1_trait_SecurityContextTrait[SecurityContextTrait]* +| + + +The configuration of Security Context trait + |`service` + *xref:#_camel_apache_org_v1_trait_ServiceTrait[ServiceTrait]* | @@ -6539,47 +6546,47 @@ Integration `.spec.integrationKit` parameter. If you're moving the Integration a The pull policy: Always{vbar}Never{vbar}IfNotPresent -|`uid` + +|`runAsUser` + int64 | -Security Context RunAsUser configuration: this value is automatically retrieved in Openshift clusters when not explicitly set. +Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. |`runAsNonRoot` + bool | -Security Context RunAsNonRoot configuration +Security Context RunAsNonRoot configuration (default false). |`seccompProfileType` + *https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#seccompprofiletype-v1-core[Kubernetes core/v1.SeccompProfileType]* | -Security Context SeccompProfileType configuration +Security Context SeccompProfileType configuration (default RuntimeDefault). |`allowPrivilegeEscalation` + bool | -Security Context AllowPrivilegeEscalation configuration +Security Context AllowPrivilegeEscalation configuration (default false). |`capabilitiesDrop` + *https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#capability-v1-core[[\]Kubernetes core/v1.Capability]* | -Security Context Capabilities Drop configuration +Security Context Capabilities Drop configuration (default ALL). |`capabilitiesAdd` + *https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#capability-v1-core[[\]Kubernetes core/v1.Capability]* | -Security Context Capabilities Add configuration +Security Context Capabilities Add configuration (default none). |=== @@ -7960,6 +7967,7 @@ Only one of `max-unavailable` and `min-available` can be specified. * <<#_camel_apache_org_v1_trait_OpenAPITrait, OpenAPITrait>> * <<#_camel_apache_org_v1_trait_PlatformTrait, PlatformTrait>> * <<#_camel_apache_org_v1_trait_QuarkusTrait, QuarkusTrait>> +* <<#_camel_apache_org_v1_trait_SecurityContextTrait, SecurityContextTrait>> PlatformBaseTrait is the base type for platform traits. It cannot be disabled by the user. @@ -8446,6 +8454,52 @@ To configure how to deal with insecure traffic, e.g. `Allow`, `Disable` or `Redi Refer to the OpenShift route documentation for additional information. +|=== + +[#_camel_apache_org_v1_trait_SecurityContextTrait] +=== SecurityContextTrait + +*Appears on:* + +* <<#_camel_apache_org_v1_Traits, Traits>> + +The Security Context trait can be used to configure the security setting of the Pod running the application. + + +[cols="2,2a",options="header"] +|=== +|Field +|Description + +|`PlatformBaseTrait` + +*xref:#_camel_apache_org_v1_trait_PlatformBaseTrait[PlatformBaseTrait]* +|(Members of `PlatformBaseTrait` are embedded into this type.) + + + + +|`runAsUser` + +int64 +| + + +Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. + +|`runAsNonRoot` + +bool +| + + +Security Context RunAsNonRoot configuration (default false). + +|`seccompProfileType` + +*https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#seccompprofiletype-v1-core[Kubernetes core/v1.SeccompProfileType]* +| + + +Security Context SeccompProfileType configuration (default RuntimeDefault). + + |=== [#_camel_apache_org_v1_trait_ServiceBindingTrait] diff --git a/docs/modules/traits/pages/container.adoc b/docs/modules/traits/pages/container.adoc index 3bf2f6c901..936a15665b 100755 --- a/docs/modules/traits/pages/container.adoc +++ b/docs/modules/traits/pages/container.adoc @@ -85,6 +85,30 @@ Integration `.spec.integrationKit` parameter. If you're moving the Integration a | PullPolicy | The pull policy: Always\|Never\|IfNotPresent +| container.run-as-user +| int64 +| Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. + +| container.run-as-non-root +| bool +| Security Context RunAsNonRoot configuration (default false). + +| container.seccomp-profile-type +| SeccompProfileType +| Security Context SeccompProfileType configuration (default RuntimeDefault). + +| container.allow-privilege-escalation +| bool +| Security Context AllowPrivilegeEscalation configuration (default false). + +| container.capabilities-drop +| []k8s.io/api/core/v1.Capability +| Security Context Capabilities Drop configuration (default ALL). + +| container.capabilities-add +| []k8s.io/api/core/v1.Capability +| Security Context Capabilities Add configuration (default none). + |=== // End of autogenerated code - DO NOT EDIT! (configuration) diff --git a/docs/modules/traits/pages/security-context.adoc b/docs/modules/traits/pages/security-context.adoc new file mode 100644 index 0000000000..516dda8047 --- /dev/null +++ b/docs/modules/traits/pages/security-context.adoc @@ -0,0 +1,46 @@ += Security Context Trait + +// Start of autogenerated code - DO NOT EDIT! (badges) +// End of autogenerated code - DO NOT EDIT! (badges) +// Start of autogenerated code - DO NOT EDIT! (description) +The Security Context trait can be used to configure the security setting of the Pod running the application. + + +This trait is available in the following profiles: **Kubernetes, Knative, OpenShift**. + +NOTE: The security-context trait is a *platform trait* and cannot be disabled by the user. + +// End of autogenerated code - DO NOT EDIT! (description) +// Start of autogenerated code - DO NOT EDIT! (configuration) +== Configuration + +Trait properties can be specified when running any integration with the CLI: +[source,console] +---- +$ kamel run --trait security-context.[key]=[value] --trait security-context.[key2]=[value2] integration.groovy +---- +The following configuration options are available: + +[cols="2m,1m,5a"] +|=== +|Property | Type | Description + +| security-context.enabled +| bool +| Deprecated: no longer in use. + +| security-context.run-as-user +| int64 +| Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. + +| security-context.run-as-non-root +| bool +| Security Context RunAsNonRoot configuration (default false). + +| security-context.seccomp-profile-type +| SeccompProfileType +| Security Context SeccompProfileType configuration (default RuntimeDefault). + +|=== + +// End of autogenerated code - DO NOT EDIT! (configuration) diff --git a/helm/camel-k/crds/crd-integration-platform.yaml b/helm/camel-k/crds/crd-integration-platform.yaml index 835e1b3c3e..048ad2baa2 100644 --- a/helm/camel-k/crds/crd-integration-platform.yaml +++ b/helm/camel-k/crds/crd-integration-platform.yaml @@ -684,18 +684,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -754,10 +757,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -770,12 +781,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -1889,6 +1894,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: @@ -2628,18 +2662,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -2698,10 +2735,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -2714,12 +2759,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -3833,6 +3872,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/helm/camel-k/crds/crd-integration-profile.yaml b/helm/camel-k/crds/crd-integration-profile.yaml index ee202c907c..f881107352 100644 --- a/helm/camel-k/crds/crd-integration-profile.yaml +++ b/helm/camel-k/crds/crd-integration-profile.yaml @@ -561,18 +561,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -631,10 +634,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -647,12 +658,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -1766,6 +1771,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: @@ -2388,18 +2422,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -2458,10 +2495,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -2474,12 +2519,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -3593,6 +3632,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/helm/camel-k/crds/crd-integration.yaml b/helm/camel-k/crds/crd-integration.yaml index 57aa5963a0..bb8917237d 100644 --- a/helm/camel-k/crds/crd-integration.yaml +++ b/helm/camel-k/crds/crd-integration.yaml @@ -6622,18 +6622,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -6692,10 +6695,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6708,12 +6719,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -7827,6 +7832,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/helm/camel-k/crds/crd-kamelet-binding.yaml b/helm/camel-k/crds/crd-kamelet-binding.yaml index b0e54aaaf4..8bf051f3f1 100644 --- a/helm/camel-k/crds/crd-kamelet-binding.yaml +++ b/helm/camel-k/crds/crd-kamelet-binding.yaml @@ -6900,13 +6900,14 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation - configuration + configuration (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type @@ -6914,6 +6915,7 @@ spec: type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type @@ -6975,9 +6977,17 @@ spec: type: string runAsNonRoot: description: Security Context RunAsNonRoot configuration + (default false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6990,12 +7000,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: - this value is automatically retrieved in Openshift clusters - when not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -8134,6 +8138,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration + (default false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/helm/camel-k/crds/crd-pipe.yaml b/helm/camel-k/crds/crd-pipe.yaml index 57dc1642ab..292e2ec94c 100644 --- a/helm/camel-k/crds/crd-pipe.yaml +++ b/helm/camel-k/crds/crd-pipe.yaml @@ -6898,13 +6898,14 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation - configuration + configuration (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type @@ -6912,6 +6913,7 @@ spec: type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type @@ -6973,9 +6975,17 @@ spec: type: string runAsNonRoot: description: Security Context RunAsNonRoot configuration + (default false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6988,12 +6998,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: - this value is automatically retrieved in Openshift clusters - when not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -8132,6 +8136,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration + (default false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/apis/camel/v1/common_types.go b/pkg/apis/camel/v1/common_types.go index d5af69100f..2cab56288c 100644 --- a/pkg/apis/camel/v1/common_types.go +++ b/pkg/apis/camel/v1/common_types.go @@ -238,6 +238,8 @@ type Traits struct { Registry *trait.RegistryTrait `property:"registry" json:"registry,omitempty"` // The configuration of Route trait Route *trait.RouteTrait `property:"route" json:"route,omitempty"` + // The configuration of Security Context trait + SecurityContext *trait.SecurityContextTrait `property:"security-context" json:"security-context,omitempty"` // The configuration of Service trait Service *trait.ServiceTrait `property:"service" json:"service,omitempty"` // The configuration of Service Binding trait diff --git a/pkg/apis/camel/v1/trait/container.go b/pkg/apis/camel/v1/trait/container.go index a2b1b5f381..2abf02194e 100644 --- a/pkg/apis/camel/v1/trait/container.go +++ b/pkg/apis/camel/v1/trait/container.go @@ -56,17 +56,17 @@ type ContainerTrait struct { // The pull policy: Always|Never|IfNotPresent // +kubebuilder:validation:Enum=Always;Never;IfNotPresent ImagePullPolicy corev1.PullPolicy `property:"image-pull-policy" json:"imagePullPolicy,omitempty"` - // Security Context RunAsUser configuration: this value is automatically retrieved in Openshift clusters when not explicitly set. + // Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. RunAsUser *int64 `property:"run-as-user" json:"runAsUser,omitempty"` - // Security Context RunAsNonRoot configuration + // Security Context RunAsNonRoot configuration (default false). RunAsNonRoot *bool `property:"run-as-non-root" json:"runAsNonRoot,omitempty"` - // Security Context SeccompProfileType configuration + // Security Context SeccompProfileType configuration (default RuntimeDefault). // +kubebuilder:validation:Enum=Unconfined;RuntimeDefault SeccompProfileType corev1.SeccompProfileType `property:"seccomp-profile-type" json:"seccompProfileType,omitempty"` - // Security Context AllowPrivilegeEscalation configuration + // Security Context AllowPrivilegeEscalation configuration (default false). AllowPrivilegeEscalation *bool `property:"allow-privilege-escalation" json:"allowPrivilegeEscalation,omitempty"` - // Security Context Capabilities Drop configuration + // Security Context Capabilities Drop configuration (default ALL). CapabilitiesDrop []corev1.Capability `property:"capabilities-drop" json:"capabilitiesDrop,omitempty"` - // Security Context Capabilities Add configuration + // Security Context Capabilities Add configuration (default none). CapabilitiesAdd []corev1.Capability `property:"capabilities-add" json:"capabilitiesAdd,omitempty"` } diff --git a/pkg/apis/camel/v1/trait/security_context.go b/pkg/apis/camel/v1/trait/security_context.go new file mode 100644 index 0000000000..ce6cdc1a3d --- /dev/null +++ b/pkg/apis/camel/v1/trait/security_context.go @@ -0,0 +1,34 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package trait + +import corev1 "k8s.io/api/core/v1" + +// The Security Context trait can be used to configure the security setting of the Pod running the application. +// +// +camel-k:trait=security-context +type SecurityContextTrait struct { + PlatformBaseTrait `property:",squash" json:",inline"` + // Security Context RunAsUser configuration (default none): this value is automatically retrieved in Openshift clusters when not explicitly set. + RunAsUser *int64 `property:"run-as-user" json:"runAsUser,omitempty"` + // Security Context RunAsNonRoot configuration (default false). + RunAsNonRoot *bool `property:"run-as-non-root" json:"runAsNonRoot,omitempty"` + // Security Context SeccompProfileType configuration (default RuntimeDefault). + // +kubebuilder:validation:Enum=Unconfined;RuntimeDefault + SeccompProfileType corev1.SeccompProfileType `property:"seccomp-profile-type" json:"seccompProfileType,omitempty"` +} diff --git a/pkg/apis/camel/v1/trait/zz_generated.deepcopy.go b/pkg/apis/camel/v1/trait/zz_generated.deepcopy.go index 23e5433a3c..c8c03773ea 100644 --- a/pkg/apis/camel/v1/trait/zz_generated.deepcopy.go +++ b/pkg/apis/camel/v1/trait/zz_generated.deepcopy.go @@ -1061,6 +1061,32 @@ func (in *RouteTrait) DeepCopy() *RouteTrait { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecurityContextTrait) DeepCopyInto(out *SecurityContextTrait) { + *out = *in + in.PlatformBaseTrait.DeepCopyInto(&out.PlatformBaseTrait) + if in.RunAsUser != nil { + in, out := &in.RunAsUser, &out.RunAsUser + *out = new(int64) + **out = **in + } + if in.RunAsNonRoot != nil { + in, out := &in.RunAsNonRoot, &out.RunAsNonRoot + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextTrait. +func (in *SecurityContextTrait) DeepCopy() *SecurityContextTrait { + if in == nil { + return nil + } + out := new(SecurityContextTrait) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceBindingTrait) DeepCopyInto(out *ServiceBindingTrait) { *out = *in diff --git a/pkg/apis/camel/v1/zz_generated.deepcopy.go b/pkg/apis/camel/v1/zz_generated.deepcopy.go index 8d1e9dc134..67149a3562 100644 --- a/pkg/apis/camel/v1/zz_generated.deepcopy.go +++ b/pkg/apis/camel/v1/zz_generated.deepcopy.go @@ -3235,6 +3235,11 @@ func (in *Traits) DeepCopyInto(out *Traits) { *out = new(trait.RouteTrait) (*in).DeepCopyInto(*out) } + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(trait.SecurityContextTrait) + (*in).DeepCopyInto(*out) + } if in.Service != nil { in, out := &in.Service, &out.Service *out = new(trait.ServiceTrait) diff --git a/pkg/client/camel/applyconfiguration/camel/v1/traits.go b/pkg/client/camel/applyconfiguration/camel/v1/traits.go index b373cf5421..4cb380e71c 100644 --- a/pkg/client/camel/applyconfiguration/camel/v1/traits.go +++ b/pkg/client/camel/applyconfiguration/camel/v1/traits.go @@ -26,46 +26,47 @@ import ( // TraitsApplyConfiguration represents an declarative configuration of the Traits type for use // with apply. type TraitsApplyConfiguration struct { - Affinity *trait.AffinityTrait `json:"affinity,omitempty"` - Builder *trait.BuilderTrait `json:"builder,omitempty"` - Camel *trait.CamelTrait `json:"camel,omitempty"` - Container *trait.ContainerTrait `json:"container,omitempty"` - Cron *trait.CronTrait `json:"cron,omitempty"` - Dependencies *trait.DependenciesTrait `json:"dependencies,omitempty"` - Deployer *trait.DeployerTrait `json:"deployer,omitempty"` - Deployment *trait.DeploymentTrait `json:"deployment,omitempty"` - Environment *trait.EnvironmentTrait `json:"environment,omitempty"` - ErrorHandler *trait.ErrorHandlerTrait `json:"error-handler,omitempty"` - GC *trait.GCTrait `json:"gc,omitempty"` - Health *trait.HealthTrait `json:"health,omitempty"` - Ingress *trait.IngressTrait `json:"ingress,omitempty"` - Istio *trait.IstioTrait `json:"istio,omitempty"` - Jolokia *trait.JolokiaTrait `json:"jolokia,omitempty"` - JVM *trait.JVMTrait `json:"jvm,omitempty"` - Kamelets *trait.KameletsTrait `json:"kamelets,omitempty"` - Knative *trait.KnativeTrait `json:"knative,omitempty"` - KnativeService *trait.KnativeServiceTrait `json:"knative-service,omitempty"` - Logging *trait.LoggingTrait `json:"logging,omitempty"` - Mount *trait.MountTrait `json:"mount,omitempty"` - OpenAPI *trait.OpenAPITrait `json:"openapi,omitempty"` - Owner *trait.OwnerTrait `json:"owner,omitempty"` - PDB *trait.PDBTrait `json:"pdb,omitempty"` - Platform *trait.PlatformTrait `json:"platform,omitempty"` - Pod *trait.PodTrait `json:"pod,omitempty"` - Prometheus *trait.PrometheusTrait `json:"prometheus,omitempty"` - PullSecret *trait.PullSecretTrait `json:"pull-secret,omitempty"` - Quarkus *trait.QuarkusTrait `json:"quarkus,omitempty"` - Registry *trait.RegistryTrait `json:"registry,omitempty"` - Route *trait.RouteTrait `json:"route,omitempty"` - Service *trait.ServiceTrait `json:"service,omitempty"` - ServiceBinding *trait.ServiceBindingTrait `json:"service-binding,omitempty"` - Toleration *trait.TolerationTrait `json:"toleration,omitempty"` - Addons map[string]AddonTraitApplyConfiguration `json:"addons,omitempty"` - Keda *TraitSpecApplyConfiguration `json:"keda,omitempty"` - Master *TraitSpecApplyConfiguration `json:"master,omitempty"` - Strimzi *TraitSpecApplyConfiguration `json:"strimzi,omitempty"` - ThreeScale *TraitSpecApplyConfiguration `json:"3scale,omitempty"` - Tracing *TraitSpecApplyConfiguration `json:"tracing,omitempty"` + Affinity *trait.AffinityTrait `json:"affinity,omitempty"` + Builder *trait.BuilderTrait `json:"builder,omitempty"` + Camel *trait.CamelTrait `json:"camel,omitempty"` + Container *trait.ContainerTrait `json:"container,omitempty"` + Cron *trait.CronTrait `json:"cron,omitempty"` + Dependencies *trait.DependenciesTrait `json:"dependencies,omitempty"` + Deployer *trait.DeployerTrait `json:"deployer,omitempty"` + Deployment *trait.DeploymentTrait `json:"deployment,omitempty"` + Environment *trait.EnvironmentTrait `json:"environment,omitempty"` + ErrorHandler *trait.ErrorHandlerTrait `json:"error-handler,omitempty"` + GC *trait.GCTrait `json:"gc,omitempty"` + Health *trait.HealthTrait `json:"health,omitempty"` + Ingress *trait.IngressTrait `json:"ingress,omitempty"` + Istio *trait.IstioTrait `json:"istio,omitempty"` + Jolokia *trait.JolokiaTrait `json:"jolokia,omitempty"` + JVM *trait.JVMTrait `json:"jvm,omitempty"` + Kamelets *trait.KameletsTrait `json:"kamelets,omitempty"` + Knative *trait.KnativeTrait `json:"knative,omitempty"` + KnativeService *trait.KnativeServiceTrait `json:"knative-service,omitempty"` + Logging *trait.LoggingTrait `json:"logging,omitempty"` + Mount *trait.MountTrait `json:"mount,omitempty"` + OpenAPI *trait.OpenAPITrait `json:"openapi,omitempty"` + Owner *trait.OwnerTrait `json:"owner,omitempty"` + PDB *trait.PDBTrait `json:"pdb,omitempty"` + Platform *trait.PlatformTrait `json:"platform,omitempty"` + Pod *trait.PodTrait `json:"pod,omitempty"` + Prometheus *trait.PrometheusTrait `json:"prometheus,omitempty"` + PullSecret *trait.PullSecretTrait `json:"pull-secret,omitempty"` + Quarkus *trait.QuarkusTrait `json:"quarkus,omitempty"` + Registry *trait.RegistryTrait `json:"registry,omitempty"` + Route *trait.RouteTrait `json:"route,omitempty"` + SecurityContext *trait.SecurityContextTrait `json:"security-context,omitempty"` + Service *trait.ServiceTrait `json:"service,omitempty"` + ServiceBinding *trait.ServiceBindingTrait `json:"service-binding,omitempty"` + Toleration *trait.TolerationTrait `json:"toleration,omitempty"` + Addons map[string]AddonTraitApplyConfiguration `json:"addons,omitempty"` + Keda *TraitSpecApplyConfiguration `json:"keda,omitempty"` + Master *TraitSpecApplyConfiguration `json:"master,omitempty"` + Strimzi *TraitSpecApplyConfiguration `json:"strimzi,omitempty"` + ThreeScale *TraitSpecApplyConfiguration `json:"3scale,omitempty"` + Tracing *TraitSpecApplyConfiguration `json:"tracing,omitempty"` } // TraitsApplyConfiguration constructs an declarative configuration of the Traits type for use with @@ -322,6 +323,14 @@ func (b *TraitsApplyConfiguration) WithRoute(value trait.RouteTrait) *TraitsAppl return b } +// WithSecurityContext sets the SecurityContext field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SecurityContext field is set to the value of the last call. +func (b *TraitsApplyConfiguration) WithSecurityContext(value trait.SecurityContextTrait) *TraitsApplyConfiguration { + b.SecurityContext = &value + return b +} + // WithService sets the Service field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Service field is set to the value of the last call. diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml index 835e1b3c3e..048ad2baa2 100644 --- a/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml +++ b/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml @@ -684,18 +684,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -754,10 +757,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -770,12 +781,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -1889,6 +1894,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: @@ -2628,18 +2662,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -2698,10 +2735,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -2714,12 +2759,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -3833,6 +3872,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml index ee202c907c..f881107352 100644 --- a/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml +++ b/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml @@ -561,18 +561,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -631,10 +634,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -647,12 +658,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -1766,6 +1771,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: @@ -2388,18 +2422,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -2458,10 +2495,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -2474,12 +2519,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -3593,6 +3632,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml index 57aa5963a0..bb8917237d 100644 --- a/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml +++ b/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml @@ -6622,18 +6622,21 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation configuration + (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type type: string type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type type: string @@ -6692,10 +6695,18 @@ spec: description: The minimum amount of memory required. type: string runAsNonRoot: - description: Security Context RunAsNonRoot configuration + description: Security Context RunAsNonRoot configuration (default + false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6708,12 +6719,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: this - value is automatically retrieved in Openshift clusters when - not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -7827,6 +7832,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration (default + false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration (default + none): this value is automatically retrieved in Openshift + clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/resources/config/crd/bases/camel.apache.org_kameletbindings.yaml b/pkg/resources/config/crd/bases/camel.apache.org_kameletbindings.yaml index b0e54aaaf4..8bf051f3f1 100644 --- a/pkg/resources/config/crd/bases/camel.apache.org_kameletbindings.yaml +++ b/pkg/resources/config/crd/bases/camel.apache.org_kameletbindings.yaml @@ -6900,13 +6900,14 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation - configuration + configuration (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type @@ -6914,6 +6915,7 @@ spec: type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type @@ -6975,9 +6977,17 @@ spec: type: string runAsNonRoot: description: Security Context RunAsNonRoot configuration + (default false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6990,12 +7000,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: - this value is automatically retrieved in Openshift clusters - when not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -8134,6 +8138,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration + (default false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml b/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml index 57dc1642ab..292e2ec94c 100644 --- a/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml +++ b/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml @@ -6898,13 +6898,14 @@ spec: properties: allowPrivilegeEscalation: description: Security Context AllowPrivilegeEscalation - configuration + configuration (default false). type: boolean auto: description: To automatically enable the trait type: boolean capabilitiesAdd: description: Security Context Capabilities Add configuration + (default none). items: description: Capability represent POSIX capabilities type @@ -6912,6 +6913,7 @@ spec: type: array capabilitiesDrop: description: Security Context Capabilities Drop configuration + (default ALL). items: description: Capability represent POSIX capabilities type @@ -6973,9 +6975,17 @@ spec: type: string runAsNonRoot: description: Security Context RunAsNonRoot configuration + (default false). type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer seccompProfileType: description: Security Context SeccompProfileType configuration + (default RuntimeDefault). enum: - Unconfined - RuntimeDefault @@ -6988,12 +6998,6 @@ spec: description: To configure under which service port name the container port is to be exposed (default `http`). type: string - uid: - description: 'Security Context RunAsUser configuration: - this value is automatically retrieved in Openshift clusters - when not explicitly set.' - format: int64 - type: integer type: object cron: description: The configuration of Cron trait @@ -8132,6 +8136,35 @@ spec: - passthrough type: string type: object + security-context: + description: The configuration of Security Context trait + properties: + configuration: + description: 'Legacy trait configuration parameters. Deprecated: + for backward compatibility.' + type: object + x-kubernetes-preserve-unknown-fields: true + enabled: + description: 'Deprecated: no longer in use.' + type: boolean + runAsNonRoot: + description: Security Context RunAsNonRoot configuration + (default false). + type: boolean + runAsUser: + description: 'Security Context RunAsUser configuration + (default none): this value is automatically retrieved + in Openshift clusters when not explicitly set.' + format: int64 + type: integer + seccompProfileType: + description: Security Context SeccompProfileType configuration + (default RuntimeDefault). + enum: + - Unconfined + - RuntimeDefault + type: string + type: object service: description: The configuration of Service trait properties: diff --git a/pkg/trait/container.go b/pkg/trait/container.go index 3b1daaf9c8..9a8f2bf81c 100644 --- a/pkg/trait/container.go +++ b/pkg/trait/container.go @@ -48,10 +48,10 @@ const ( defaultContainerPort = 8080 defaultServicePort = 80 // default security context configuration - defaultRunAsNonRoot = true - defaultSeccompProfileType = corev1.SeccompProfileTypeRuntimeDefault - defaultAllowPrivilegeEscalation = false - defaultCapabilitiesDrop = "ALL" + defaultContainerRunAsNonRoot = false + defaultContainerSeccompProfileType = corev1.SeccompProfileTypeRuntimeDefault + defaultContainerAllowPrivilegeEscalation = false + defaultContainerCapabilitiesDrop = "ALL" ) type containerTrait struct { @@ -67,10 +67,10 @@ func newContainerTrait() Trait { ServicePort: defaultServicePort, ServicePortName: defaultContainerPortName, Name: defaultContainerName, - RunAsNonRoot: pointer.Bool(defaultRunAsNonRoot), - SeccompProfileType: defaultSeccompProfileType, - AllowPrivilegeEscalation: pointer.Bool(defaultAllowPrivilegeEscalation), - CapabilitiesDrop: []corev1.Capability{defaultCapabilitiesDrop}, + RunAsNonRoot: pointer.Bool(defaultContainerRunAsNonRoot), + SeccompProfileType: defaultContainerSeccompProfileType, + AllowPrivilegeEscalation: pointer.Bool(defaultContainerAllowPrivilegeEscalation), + CapabilitiesDrop: []corev1.Capability{defaultContainerCapabilitiesDrop}, }, } } diff --git a/pkg/trait/container_test.go b/pkg/trait/container_test.go index 687911db10..0f4414dc76 100644 --- a/pkg/trait/container_test.go +++ b/pkg/trait/container_test.go @@ -181,7 +181,7 @@ func TestContainerWithOpenshift(t *testing.T) { assert.NotNil(t, d) assert.Len(t, d.Spec.Template.Spec.Containers, 1) assert.Equal(t, defaultContainerName, d.Spec.Template.Spec.Containers[0].Name) - assert.Equal(t, pointer.Bool(true), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) + assert.Equal(t, pointer.Bool(defaultContainerRunAsNonRoot), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) assert.Equal(t, pointer.Int64(1000860000), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser) } @@ -672,11 +672,11 @@ func TestDefaultKubernetesSecurityContext(t *testing.T) { assert.NotNil(t, d) assert.Len(t, d.Spec.Template.Spec.Containers, 1) assert.Equal(t, defaultContainerName, d.Spec.Template.Spec.Containers[0].Name) - assert.Equal(t, pointer.Bool(true), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) + assert.Equal(t, pointer.Bool(defaultContainerRunAsNonRoot), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) assert.Nil(t, d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser) assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault, d.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile.Type) - assert.Equal(t, pointer.Bool(false), d.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation) - assert.Equal(t, []corev1.Capability{defaultCapabilitiesDrop}, d.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Drop) + assert.Equal(t, pointer.Bool(defaultContainerAllowPrivilegeEscalation), d.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation) + assert.Equal(t, []corev1.Capability{defaultContainerCapabilitiesDrop}, d.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Drop) assert.Nil(t, d.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Add) } @@ -700,11 +700,11 @@ func TestDefaultKnativeSecurityContext(t *testing.T) { assert.NotNil(t, s) assert.Len(t, s.Spec.Template.Spec.Containers, 1) assert.Equal(t, defaultContainerName, s.Spec.Template.Spec.Containers[0].Name) - assert.Equal(t, pointer.Bool(true), s.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) + assert.Equal(t, pointer.Bool(defaultContainerRunAsNonRoot), s.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) assert.Nil(t, s.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser) assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault, s.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile.Type) - assert.Equal(t, pointer.Bool(false), s.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation) - assert.Equal(t, []corev1.Capability{defaultCapabilitiesDrop}, s.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Drop) + assert.Equal(t, pointer.Bool(defaultContainerAllowPrivilegeEscalation), s.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation) + assert.Equal(t, []corev1.Capability{defaultContainerCapabilitiesDrop}, s.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Drop) assert.Nil(t, s.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Add) } diff --git a/pkg/trait/security_context.go b/pkg/trait/security_context.go new file mode 100644 index 0000000000..c7fd50d421 --- /dev/null +++ b/pkg/trait/security_context.go @@ -0,0 +1,98 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package trait + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" + + traitv1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait" + "github.com/apache/camel-k/v2/pkg/util/openshift" +) + +const ( + securityContextTraitID = "security-context" + + defaultPodRunAsNonRoot = false + defaultPodSeccompProfileType = corev1.SeccompProfileTypeRuntimeDefault +) + +type securityContextTrait struct { + BasePlatformTrait + traitv1.SecurityContextTrait `property:",squash"` +} + +func newSecurityContextTrait() Trait { + return &securityContextTrait{ + BasePlatformTrait: NewBasePlatformTrait(securityContextTraitID, 1600), + SecurityContextTrait: traitv1.SecurityContextTrait{ + RunAsNonRoot: pointer.Bool(defaultPodRunAsNonRoot), + SeccompProfileType: defaultPodSeccompProfileType, + }, + } +} + +func (t *securityContextTrait) Configure(e *Environment) (bool, *TraitCondition, error) { + if e.Integration == nil { + return false, nil, nil + } + if !e.IntegrationInRunningPhases() { + return false, nil, nil + } + + return true, nil, nil +} + +func (t *securityContextTrait) Apply(e *Environment) error { + podSpec := e.GetIntegrationPodSpec() + if podSpec == nil { + return fmt.Errorf("could not find any integration deployment for %v", e.Integration.Name) + } + return t.setSecurityContext(e, podSpec) +} + +func (t *securityContextTrait) setSecurityContext(e *Environment, podSpec *corev1.PodSpec) error { + sc := corev1.PodSecurityContext{ + RunAsNonRoot: t.RunAsNonRoot, + SeccompProfile: &corev1.SeccompProfile{ + Type: t.SeccompProfileType, + }, + } + if t.RunAsUser == nil { + // get security context UID from Openshift when non configured by the user + isOpenShift, err := openshift.IsOpenShift(e.Client) + if err != nil { + return err + } + if isOpenShift { + securityContextUid, err := openshift.GetOpenshiftUser(e.Ctx, e.Client, e.Integration.Namespace) + if err != nil { + return err + } + if securityContextUid != nil { + t.RunAsUser = securityContextUid + } + } + } + sc.RunAsUser = t.RunAsUser + podSpec.SecurityContext = &sc + + return nil +} diff --git a/pkg/trait/security_context_test.go b/pkg/trait/security_context_test.go new file mode 100644 index 0000000000..0f78dd68f2 --- /dev/null +++ b/pkg/trait/security_context_test.go @@ -0,0 +1,254 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package trait + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + serving "knative.dev/serving/pkg/apis/serving/v1" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/pointer" + + v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1" + traitv1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait" + "github.com/apache/camel-k/v2/pkg/util/camel" + "github.com/apache/camel-k/v2/pkg/util/kubernetes" + "github.com/apache/camel-k/v2/pkg/util/test" +) + +func TestDefaultPodKubernetesSecurityContextInitializationPhase(t *testing.T) { + environment := createPodSettingContextEnvironment(t, v1.TraitProfileKubernetes) + environment.Integration.Status.Phase = v1.IntegrationPhaseInitialization + traitCatalog := NewCatalog(nil) + + conditions, err := traitCatalog.apply(environment) + + require.NoError(t, err) + assert.NotEmpty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.Nil(t, environment.GetTrait("security-context")) +} + +func TestDefaultPodKubernetesSecurityContext(t *testing.T) { + environment := createPodSettingContextEnvironment(t, v1.TraitProfileKubernetes) + traitCatalog := NewCatalog(nil) + + conditions, err := traitCatalog.apply(environment) + + require.NoError(t, err) + assert.NotEmpty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.NotNil(t, environment.GetTrait("deployment")) + assert.NotNil(t, environment.GetTrait("security-context")) + + d := environment.Resources.GetDeploymentForIntegration(environment.Integration) + + assert.NotNil(t, d) + assert.Equal(t, pointer.Bool(defaultPodRunAsNonRoot), d.Spec.Template.Spec.SecurityContext.RunAsNonRoot) + assert.Nil(t, d.Spec.Template.Spec.SecurityContext.RunAsUser) + assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault, d.Spec.Template.Spec.SecurityContext.SeccompProfile.Type) +} + +func TestDefaultPodOpenshiftSecurityContext(t *testing.T) { + environment := createOpenshiftPodSettingContextEnvironment(t, v1.TraitProfileOpenShift) + traitCatalog := NewCatalog(nil) + + conditions, err := traitCatalog.apply(environment) + + require.NoError(t, err) + assert.NotEmpty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.NotNil(t, environment.GetTrait("deployment")) + assert.NotNil(t, environment.GetTrait("security-context")) + + d := environment.Resources.GetDeploymentForIntegration(environment.Integration) + + assert.NotNil(t, d) + assert.Equal(t, pointer.Bool(defaultPodRunAsNonRoot), d.Spec.Template.Spec.SecurityContext.RunAsNonRoot) + assert.NotNil(t, d.Spec.Template.Spec.SecurityContext.RunAsUser) + assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault, d.Spec.Template.Spec.SecurityContext.SeccompProfile.Type) +} + +func TestDefaultPodKnativeSecurityContext(t *testing.T) { + environment := createPodSettingContextEnvironment(t, v1.TraitProfileKnative) + traitCatalog := NewCatalog(nil) + + conditions, err := traitCatalog.apply(environment) + + require.NoError(t, err) + assert.NotEmpty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.Nil(t, environment.GetTrait("deployment")) + assert.NotNil(t, environment.GetTrait("knative-service")) + assert.NotNil(t, environment.GetTrait("security-context")) + + s := environment.Resources.GetKnativeService(func(service *serving.Service) bool { + return service.Name == ServiceTestName + }) + + assert.NotNil(t, s) + assert.Equal(t, pointer.Bool(defaultPodRunAsNonRoot), s.Spec.Template.Spec.SecurityContext.RunAsNonRoot) + assert.Nil(t, s.Spec.Template.Spec.SecurityContext.RunAsUser) + assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault, s.Spec.Template.Spec.SecurityContext.SeccompProfile.Type) +} + +func TestUserPodSecurityContext(t *testing.T) { + environment := createPodSettingContextEnvironment(t, v1.TraitProfileKubernetes) + environment.Integration.Spec.Traits = v1.Traits{ + SecurityContext: &traitv1.SecurityContextTrait{ + RunAsNonRoot: pointer.Bool(false), + RunAsUser: pointer.Int64(1000), + SeccompProfileType: "Unconfined", + }, + } + traitCatalog := NewCatalog(nil) + + conditions, err := traitCatalog.apply(environment) + + require.NoError(t, err) + assert.NotEmpty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.NotNil(t, environment.GetTrait("deployment")) + assert.NotNil(t, environment.GetTrait("security-context")) + + d := environment.Resources.GetDeploymentForIntegration(environment.Integration) + + assert.NotNil(t, d) + assert.Equal(t, pointer.Bool(false), d.Spec.Template.Spec.SecurityContext.RunAsNonRoot) + assert.Equal(t, pointer.Int64(1000), d.Spec.Template.Spec.SecurityContext.RunAsUser) + assert.Equal(t, corev1.SeccompProfileTypeUnconfined, d.Spec.Template.Spec.SecurityContext.SeccompProfile.Type) +} + +func createPodSettingContextEnvironment(t *testing.T, profile v1.TraitProfile) *Environment { + catalog, err := camel.DefaultCatalog() + require.NoError(t, err) + client, _ := test.NewFakeClient() + traitCatalog := NewCatalog(nil) + environment := Environment{ + CamelCatalog: catalog, + Catalog: traitCatalog, + Client: client, + Integration: &v1.Integration{ + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceTestName, + Namespace: "myuser", + }, + Status: v1.IntegrationStatus{ + Phase: v1.IntegrationPhaseDeploying, + }, + Spec: v1.IntegrationSpec{ + Profile: profile, + }, + }, + IntegrationKit: &v1.IntegrationKit{ + Status: v1.IntegrationKitStatus{ + Phase: v1.IntegrationKitPhaseReady, + }, + }, + Platform: &v1.IntegrationPlatform{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + }, + Spec: v1.IntegrationPlatformSpec{ + Build: v1.IntegrationPlatformBuildSpec{ + Registry: v1.RegistrySpec{Address: "registry"}, + RuntimeVersion: catalog.Runtime.Version, + }, + }, + Status: v1.IntegrationPlatformStatus{ + Phase: v1.IntegrationPlatformPhaseReady, + }, + }, + EnvVars: make([]corev1.EnvVar, 0), + ExecutedTraits: make([]Trait, 0), + Resources: kubernetes.NewCollection(), + } + environment.Platform.ResyncStatusFullConfig() + + return &environment +} + +func createOpenshiftPodSettingContextEnvironment(t *testing.T, profile v1.TraitProfile) *Environment { + // Integration is in another constrained namespace + constrainedIntNamespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "myuser", + Annotations: map[string]string{ + "openshift.io/sa.scc.mcs": "s0:c26,c5", + "openshift.io/sa.scc.supplemental-groups": "1000860000/10000", + "openshift.io/sa.scc.uid-range": "1000860000/10000", + }, + }, + } + + client, _ := test.NewFakeClient(constrainedIntNamespace) + traitCatalog := NewCatalog(nil) + + // enable openshift + fakeClient := client.(*test.FakeClient) //nolint + fakeClient.EnableOpenshiftDiscovery() + catalog, err := camel.DefaultCatalog() + require.NoError(t, err) + + environment := Environment{ + CamelCatalog: catalog, + Catalog: traitCatalog, + Client: client, + Integration: &v1.Integration{ + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceTestName, + Namespace: "myuser", + }, + Status: v1.IntegrationStatus{ + Phase: v1.IntegrationPhaseDeploying, + }, + Spec: v1.IntegrationSpec{ + Profile: profile, + }, + }, + IntegrationKit: &v1.IntegrationKit{ + Status: v1.IntegrationKitStatus{ + Phase: v1.IntegrationKitPhaseReady, + }, + }, + Platform: &v1.IntegrationPlatform{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + }, + Spec: v1.IntegrationPlatformSpec{ + Build: v1.IntegrationPlatformBuildSpec{ + Registry: v1.RegistrySpec{Address: "registry"}, + RuntimeVersion: catalog.Runtime.Version, + }, + }, + Status: v1.IntegrationPlatformStatus{ + Phase: v1.IntegrationPlatformPhaseReady, + }, + }, + EnvVars: make([]corev1.EnvVar, 0), + ExecutedTraits: make([]Trait, 0), + Resources: kubernetes.NewCollection(), + } + environment.Platform.ResyncStatusFullConfig() + + return &environment +} diff --git a/pkg/trait/trait_register.go b/pkg/trait/trait_register.go index ff4c0da15b..0174bdc3f7 100644 --- a/pkg/trait/trait_register.go +++ b/pkg/trait/trait_register.go @@ -52,6 +52,7 @@ func init() { AddToTraits(newQuarkusTrait) AddToTraits(newRegistryTrait) AddToTraits(newRouteTrait) + AddToTraits(newSecurityContextTrait) AddToTraits(newServiceTrait) AddToTraits(newServiceBindingTrait) AddToTraits(newTolerationTrait) diff --git a/pkg/trait/trait_test.go b/pkg/trait/trait_test.go index f7fc02e12a..a32fade6f0 100644 --- a/pkg/trait/trait_test.go +++ b/pkg/trait/trait_test.go @@ -434,7 +434,7 @@ func TestOnlySomeTraitsInfluenceBuild(t *testing.T) { func TestOnlySomeTraitsArePlatform(t *testing.T) { c := NewTraitTestCatalog() platformTraits := []string{ - "builder", "camel", "jvm", "runtime", "container", "mount", "dependencies", "deployer", + "builder", "camel", "jvm", "runtime", "container", "security-context", "mount", "dependencies", "deployer", "deployment", "environment", "error-handler", "kamelets", "openapi", "owner", "platform", "quarkus", } @@ -561,7 +561,7 @@ func TestExecutedTraitsCondition(t *testing.T) { v1.IntegrationConditionTraitInfo, corev1.ConditionTrue, "TraitConfiguration", - "Applied traits: camel,environment,logging,deployer,deployment,gc,container,mount,health,quarkus,jvm,owner", + "Applied traits: camel,environment,logging,deployer,deployment,gc,container,security-context,mount,health,quarkus,jvm,owner", ) assert.Contains(t, conditions, expectedCondition) }