deep-stack/kompose
7
0
Fork 0
forked from LaconicNetwork/kompose
Code Pull Requests Activity

Merge pull request #1670 from AhmedGrati/feat-add-read-only-support

Browse Source 
Feat: add read only containers support
This commit is contained in:
Kubernetes Prow Robot 2023-07-16 10:51:05 -07:00 committed by GitHub
commit 071451dfdf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 194 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kobject/kobject.go
View File

@ -110,6 +110,7 @@ type ServiceConfig struct {
WorkingDir string `compose:""` WorkingDir string `compose:""`
DomainName string `compose:"domainname"` DomainName string `compose:"domainname"`
HostName string `compose:"hostname"` HostName string `compose:"hostname"`
ReadOnly bool `compose:"read_only"`
Args []string `compose:"args"` Args []string `compose:"args"`
VolList []string `compose:"volumes"` VolList []string `compose:"volumes"`
Network []string `compose:"network"` Network []string `compose:"network"`

1
pkg/loader/compose/compose.go
View File

@ -462,6 +462,7 @@ func dockerComposeToKomposeMapping(composeObject *types.Project) (kobject.Kompos
serviceConfig.Expose = composeServiceConfig.Expose serviceConfig.Expose = composeServiceConfig.Expose
serviceConfig.Privileged = composeServiceConfig.Privileged serviceConfig.Privileged = composeServiceConfig.Privileged
serviceConfig.User = composeServiceConfig.User serviceConfig.User = composeServiceConfig.User
serviceConfig.ReadOnly = composeServiceConfig.ReadOnly
serviceConfig.Stdin = composeServiceConfig.StdinOpen serviceConfig.Stdin = composeServiceConfig.StdinOpen
serviceConfig.Tty = composeServiceConfig.Tty serviceConfig.Tty = composeServiceConfig.Tty
serviceConfig.TmpFs = composeServiceConfig.Tmpfs serviceConfig.TmpFs = composeServiceConfig.Tmpfs

5
pkg/transformer/kubernetes/k8sutils.go
View File

@ -573,6 +573,11 @@ func (k *Kubernetes) UpdateKubernetesObjects(name string, service kobject.Servic
securityContext.Capabilities = capabilities securityContext.Capabilities = capabilities
} }
//set readOnlyRootFilesystem if it is enabled
if service.ReadOnly {
securityContext.ReadOnlyRootFilesystem = &service.ReadOnly
}
// update template only if securityContext is not empty // update template only if securityContext is not empty
if *securityContext != (api.SecurityContext{}) { if *securityContext != (api.SecurityContext{}) {
template.Spec.Containers[0].SecurityContext = securityContext template.Spec.Containers[0].SecurityContext = securityContext

28
pkg/transformer/kubernetes/k8sutils_test.go
View File

@ -629,3 +629,31 @@ func TestArgsInterpolation(t *testing.T) {
} }
} }
} }
func TestReadOnlyRootFS(t *testing.T) {
// An example service
service := kobject.ServiceConfig{
ContainerName: "name",
Image: "image",
ReadOnly: true,
}
// An example object generated via k8s runtime.Objects()
komposeObject := kobject.KomposeObject{
ServiceConfigs: map[string]kobject.ServiceConfig{"app": service},
}
k := Kubernetes{}
objects, err := k.Transform(komposeObject, kobject.ConvertOptions{CreateD: true})
if err != nil {
t.Error(errors.Wrap(err, "k.Transform failed"))
}
for _, obj := range objects {
if deployment, ok := obj.(*appsv1.Deployment); ok {
readOnlyFS := deployment.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem
if *readOnlyFS != true {
t.Errorf("Expected ReadOnlyRootFileSystem %v upon conversion, actual %v", true, readOnlyFS)
}
}
}
}

8
script/test/cmd/tests_new.sh
View File

@ -277,3 +277,11 @@ convert::expect_success "$os_cmd" "$os_output"
k8s_cmd="kompose -f $KOMPOSE_ROOT/script/test/fixtures/custom-build-push/docker-compose.yaml convert --build-command 'docker build -t ahmedgrati/kompose-test ./script/test/fixtures/custom-build-push' --push-command 'docker push ahmedgrati/kompose-test' --stdout --with-kompose-annotation=false" k8s_cmd="kompose -f $KOMPOSE_ROOT/script/test/fixtures/custom-build-push/docker-compose.yaml convert --build-command 'docker build -t ahmedgrati/kompose-test ./script/test/fixtures/custom-build-push' --push-command 'docker push ahmedgrati/kompose-test' --stdout --with-kompose-annotation=false"
k8s_output="$KOMPOSE_ROOT/script/test/fixtures/custom-build-push/output-k8s.yaml" k8s_output="$KOMPOSE_ROOT/script/test/fixtures/custom-build-push/output-k8s.yaml"
convert::expect_success "$os_cmd" "$os_output" convert::expect_success "$os_cmd" "$os_output"
# Test support for read only root fs
k8s_cmd="kompose -f $KOMPOSE_ROOT/script/test/fixtures/read-only/docker-compose.yaml convert --stdout --with-kompose-annotation=false"
k8s_output="$KOMPOSE_ROOT/script/test/fixtures/read-only/output-k8s.yaml"
os_cmd="kompose -f $KOMPOSE_ROOT/script/test/fixtures/read-only/docker-compose.yaml convert --stdout --with-kompose-annotation=false --provider openshift"
os_output="$KOMPOSE_ROOT/script/test/fixtures/read-only/output-os.yaml"
convert::expect_success "$k8s_cmd" "$k8s_output"
convert::expect_success "$os_cmd" "$os_output"

6
script/test/fixtures/read-only/docker-compose.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
services:
test:
image: alpine
read_only: true
ports:
- 80:80

52
script/test/fixtures/read-only/output-k8s.yaml vendored Normal file
View File

@ -0,0 +1,52 @@
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
io.kompose.service: test
name: test
spec:
ports:
- name: "80"
port: 80
targetPort: 80
selector:
io.kompose.service: test
status:
loadBalancer: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
io.kompose.service: test
name: test
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: test
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
io.kompose.network/read-only-default: "true"
io.kompose.service: test
spec:
containers:
- image: alpine
name: test
ports:
- containerPort: 80
hostPort: 80
protocol: TCP
resources: {}
securityContext:
readOnlyRootFilesystem: true
restartPolicy: Always
status: {}

93
script/test/fixtures/read-only/output-os.yaml vendored Normal file
View File

@ -0,0 +1,93 @@
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
io.kompose.service: test
name: test
spec:
ports:
- name: "80"
port: 80
targetPort: 80
selector:
io.kompose.service: test
status:
loadBalancer: {}
---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
creationTimestamp: null
labels:
io.kompose.service: test
name: test
spec:
replicas: 1
selector:
io.kompose.service: test
strategy:
resources: {}
template:
metadata:
creationTimestamp: null
labels:
io.kompose.network/read-only-default: "true"
io.kompose.service: test
spec:
containers:
- image: ' '
name: test
ports:
- containerPort: 80
hostPort: 80
protocol: TCP
resources: {}
securityContext:
readOnlyRootFilesystem: true
restartPolicy: Always
test: false
triggers:
- type: ConfigChange
- imageChangeParams:
automatic: true
containerNames:
- test
from:
kind: ImageStreamTag
name: test:latest
type: ImageChange
status:
availableReplicas: 0
latestVersion: 0
observedGeneration: 0
replicas: 0
unavailableReplicas: 0
updatedReplicas: 0
---
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
creationTimestamp: null
labels:
io.kompose.service: test
name: test
spec:
lookupPolicy:
local: false
tags:
- annotations: null
from:
kind: DockerImage
name: alpine
generation: null
importPolicy: {}
name: latest
referencePolicy:
type: ""
status:
dockerImageRepository: ""