This is an automated email from the ASF dual-hosted git repository.
duhengforever pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/rocketmq-operator.git
The following commit(s) were added to refs/heads/master by this push:
new e76c9fd security contexts add for container + pod
new 940e764 Merge pull request #67 from AdheipSingh/master
e76c9fd is described below
commit e76c9fdc25548aec33774621f332c35fb13820b3
Author: AdheipSingh <[email protected]>
AuthorDate: Sun Nov 15 16:17:10 2020 +0530
security contexts add for container + pod
---
pkg/apis/rocketmq/v1alpha1/broker_types.go | 4 ++++
pkg/apis/rocketmq/v1alpha1/nameservice_types.go | 4 ++++
pkg/controller/broker/broker_controller.go | 28 ++++++++++++++++++----
.../nameservice/nameservice_controller.go | 24 ++++++++++++++++---
4 files changed, 52 insertions(+), 8 deletions(-)
diff --git a/pkg/apis/rocketmq/v1alpha1/broker_types.go
b/pkg/apis/rocketmq/v1alpha1/broker_types.go
index 1e694ee..54636ae 100644
--- a/pkg/apis/rocketmq/v1alpha1/broker_types.go
+++ b/pkg/apis/rocketmq/v1alpha1/broker_types.go
@@ -56,6 +56,10 @@ type BrokerSpec struct {
VolumeClaimTemplates []corev1.PersistentVolumeClaim
`json:"volumeClaimTemplates"`
// The name of pod where the metadata from
ScalePodName string `json:"scalePodName"`
+ // Pod Security Context
+ PodSecurityContext *corev1.PodSecurityContext
`json:"securityContext,omitempty"`
+ // Container Security Context
+ ContainerSecurityContext *corev1.SecurityContext
`json:"containerSecurityContext,omitempty"`
}
// BrokerStatus defines the observed state of Broker
diff --git a/pkg/apis/rocketmq/v1alpha1/nameservice_types.go
b/pkg/apis/rocketmq/v1alpha1/nameservice_types.go
index b8900e9..82e71bc 100644
--- a/pkg/apis/rocketmq/v1alpha1/nameservice_types.go
+++ b/pkg/apis/rocketmq/v1alpha1/nameservice_types.go
@@ -49,6 +49,10 @@ type NameServiceSpec struct {
HostPath string `json:"hostPath"`
// VolumeClaimTemplates defines the StorageClass
VolumeClaimTemplates []corev1.PersistentVolumeClaim
`json:"volumeClaimTemplates"`
+ // Pod Security Context
+ PodSecurityContext *corev1.PodSecurityContext
`json:"securityContext,omitempty"`
+ // Container Security Context
+ ContainerSecurityContext *corev1.SecurityContext
`json:"containerSecurityContext,omitempty"`
}
// NameServiceStatus defines the observed state of NameService
diff --git a/pkg/controller/broker/broker_controller.go
b/pkg/controller/broker/broker_controller.go
index 5b2de77..9acf477 100644
--- a/pkg/controller/broker/broker_controller.go
+++ b/pkg/controller/broker/broker_controller.go
@@ -405,8 +405,8 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker
*rocketmqv1alpha1.Broker,
Spec: corev1.PodSpec{
Containers: []corev1.Container{{
Resources:
broker.Spec.Resources,
- Image: broker.Spec.BrokerImage,
- Name: cons.BrokerContainerName,
+ Image:
broker.Spec.BrokerImage,
+ Name:
cons.BrokerContainerName,
Lifecycle: &corev1.Lifecycle{
PostStart:
&corev1.Handler{
Exec:
&corev1.ExecAction{
@@ -414,8 +414,9 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker
*rocketmqv1alpha1.Broker,
},
},
},
+ SecurityContext:
getContainerSecurityContext(broker),
ImagePullPolicy:
broker.Spec.ImagePullPolicy,
- Env: getENV(broker,
replicaIndex, brokerGroupIndex),
+ Env: getENV(broker,
replicaIndex, brokerGroupIndex),
Ports: []corev1.ContainerPort{{
ContainerPort:
cons.BrokerVipContainerPort,
Name:
cons.BrokerVipContainerPortName,
@@ -440,7 +441,8 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker
*rocketmqv1alpha1.Broker,
SubPath:
cons.BrokerConfigName,
}},
}},
- Volumes: getVolumes(broker),
+ Volumes: getVolumes(broker),
+ SecurityContext:
getPodSecurityContext(broker),
},
},
VolumeClaimTemplates: getVolumeClaimTemplates(broker),
@@ -453,7 +455,7 @@ func (r *ReconcileBroker) getBrokerStatefulSet(broker
*rocketmqv1alpha1.Broker,
}
-func getENV(broker *rocketmqv1alpha1.Broker, replicaIndex int,
brokerGroupIndex int) []corev1.EnvVar {
+func getENV(broker *rocketmqv1alpha1.Broker, replicaIndex int,
brokerGroupIndex int) []corev1.EnvVar {
envs := []corev1.EnvVar{{
Name: cons.EnvNameServiceAddress,
Value: share.NameServersStr,
@@ -482,6 +484,22 @@ func getVolumeClaimTemplates(broker
*rocketmqv1alpha1.Broker) []corev1.Persisten
}
}
+func getPodSecurityContext(broker *rocketmqv1alpha1.Broker)
*corev1.PodSecurityContext {
+ var securityContext = corev1.PodSecurityContext{}
+ if broker.Spec.PodSecurityContext != nil {
+ securityContext = *broker.Spec.PodSecurityContext
+ }
+ return &securityContext
+}
+
+func getContainerSecurityContext(broker *rocketmqv1alpha1.Broker)
*corev1.SecurityContext {
+ var securityContext = corev1.SecurityContext{}
+ if broker.Spec.ContainerSecurityContext != nil {
+ securityContext = *broker.Spec.ContainerSecurityContext
+ }
+ return &securityContext
+}
+
func getVolumes(broker *rocketmqv1alpha1.Broker) []corev1.Volume {
switch broker.Spec.StorageMode {
case cons.StorageModeStorageClass:
diff --git a/pkg/controller/nameservice/nameservice_controller.go
b/pkg/controller/nameservice/nameservice_controller.go
index 410515f..1346920 100644
--- a/pkg/controller/nameservice/nameservice_controller.go
+++ b/pkg/controller/nameservice/nameservice_controller.go
@@ -297,6 +297,22 @@ func getRunningNameServersNum(pods []corev1.Pod) int32 {
return num
}
+func getPodSecurityContext(nameService *rocketmqv1alpha1.NameService)
*corev1.PodSecurityContext {
+ var securityContext = corev1.PodSecurityContext{}
+ if nameService.Spec.PodSecurityContext != nil {
+ securityContext = *nameService.Spec.PodSecurityContext
+ }
+ return &securityContext
+}
+
+func getContainerSecurityContext(nameService *rocketmqv1alpha1.NameService)
*corev1.SecurityContext {
+ var securityContext = corev1.SecurityContext{}
+ if nameService.Spec.ContainerSecurityContext != nil {
+ securityContext = *nameService.Spec.ContainerSecurityContext
+ }
+ return &securityContext
+}
+
func labelsForNameService(name string) map[string]string {
return map[string]string{"app": "name_service", "name_service_cr": name}
}
@@ -319,10 +335,10 @@ func (r *ReconcileNameService)
statefulSetForNameService(nameService *rocketmqv1
},
Spec: corev1.PodSpec{
HostNetwork:
nameService.Spec.HostNetwork,
- DNSPolicy: nameService.Spec.DNSPolicy,
+ DNSPolicy: nameService.Spec.DNSPolicy,
Containers: []corev1.Container{{
Resources:
nameService.Spec.Resources,
- Image:
nameService.Spec.NameServiceImage,
+ Image:
nameService.Spec.NameServiceImage,
// Name must be lower case !
Name: "name-service",
ImagePullPolicy:
nameService.Spec.ImagePullPolicy,
@@ -335,8 +351,10 @@ func (r *ReconcileNameService)
statefulSetForNameService(nameService *rocketmqv1
Name:
nameService.Spec.VolumeClaimTemplates[0].Name,
SubPath:
cons.LogSubPathName,
}},
+ SecurityContext:
getContainerSecurityContext(nameService),
}},
- Volumes: getVolumes(nameService),
+ Volumes:
getVolumes(nameService),
+ SecurityContext:
getPodSecurityContext(nameService),
},
},
VolumeClaimTemplates:
getVolumeClaimTemplates(nameService),
