diff --git a/pkg/transformer/kubernetes/k8sutils.go b/pkg/transformer/kubernetes/k8sutils.go index bce4bade..3b66016f 100644 --- a/pkg/transformer/kubernetes/k8sutils.go +++ b/pkg/transformer/kubernetes/k8sutils.go @@ -23,6 +23,7 @@ import ( "io/ioutil" "os" "path/filepath" + "strconv" "strings" "text/template" @@ -286,12 +287,25 @@ func (k *Kubernetes) UpdateKubernetesObjects(name string, service kobject.Servic template.Spec.Containers[0].WorkingDir = service.WorkingDir template.Spec.Containers[0].VolumeMounts = volumesMount template.Spec.Volumes = volumes - // Configure the container privileged mode + + securityContext := &api.SecurityContext{} if service.Privileged == true { - template.Spec.Containers[0].SecurityContext = &api.SecurityContext{ - Privileged: &service.Privileged, - } + securityContext.Privileged = &service.Privileged } + if service.User != "" { + uid, err := strconv.ParseInt(service.User, 10, 64) + if err != nil { + logrus.Warn("Ignoring user directive. User to be specified as a UID (numeric).") + } else { + securityContext.RunAsUser = &uid + } + + } + // update template only if securityContext is not empty + if *securityContext != (api.SecurityContext{}) { + template.Spec.Containers[0].SecurityContext = securityContext + } + template.Spec.Containers[0].Ports = ports template.ObjectMeta.Labels = transformer.ConfigLabels(name) // Configure the container restart policy. diff --git a/pkg/transformer/kubernetes/k8sutils_test.go b/pkg/transformer/kubernetes/k8sutils_test.go index c20f4f5e..0ec15422 100644 --- a/pkg/transformer/kubernetes/k8sutils_test.go +++ b/pkg/transformer/kubernetes/k8sutils_test.go @@ -17,10 +17,12 @@ limitations under the License. package kubernetes import ( + "strconv" "testing" "github.com/kubernetes-incubator/kompose/pkg/kobject" "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/apis/extensions" ) /* @@ -49,7 +51,7 @@ func TestCreateService(t *testing.T) { Expose: []string{"expose"}, // not supported Privileged: true, Restart: "always", - User: "user", // not supported + User: "user", } // An example object generated via k8s runtime.Objects() @@ -65,3 +67,51 @@ func TestCreateService(t *testing.T) { t.Errorf("Expected port 123 upon conversion, actual %d", svc.Spec.Ports[0].Port) } } + +/* + Test the creation of a service with a specified user. + The expected result is that Kompose will set user in PodSpec +*/ +func TestCreateServiceWithServiceUser(t *testing.T) { + + // An example service + service := kobject.ServiceConfig{ + ContainerName: "name", + Image: "image", + Environment: []kobject.EnvVar{kobject.EnvVar{Name: "env", Value: "value"}}, + Port: []kobject.Ports{kobject.Ports{HostPort: 123, ContainerPort: 456, Protocol: api.ProtocolTCP}}, + Command: []string{"cmd"}, + WorkingDir: "dir", + Args: []string{"arg1", "arg2"}, + Volumes: []string{"/tmp/volume"}, + Network: []string{"network1", "network2"}, // not supported + Labels: nil, + Annotations: map[string]string{"kompose.service.type": "nodeport"}, + CPUSet: "cpu_set", // not supported + CPUShares: 1, // not supported + CPUQuota: 1, // not supported + CapAdd: []string{"cap_add"}, // not supported + CapDrop: []string{"cap_drop"}, // not supported + Expose: []string{"expose"}, // not supported + Privileged: true, + Restart: "always", + User: "1234", + } + + komposeObject := kobject.KomposeObject{ + ServiceConfigs: map[string]kobject.ServiceConfig{"app": service}, + } + k := Kubernetes{} + + objects := k.Transform(komposeObject, kobject.ConvertOptions{CreateD: true, Replicas: 1}) + + for _, obj := range objects { + if deploy, ok := obj.(*extensions.Deployment); ok { + uid := *deploy.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser + if strconv.FormatInt(uid, 10) != service.User { + t.Errorf("User in ServiceConfig is not matching user in PodSpec") + } + } + } + +}