CreatePodParameters(
IReadOnlyList <string> env,
IDictionary <string, EmptyStruct> exposedPorts,
HostConfig hostConfig,
string image,
IDictionary <string, string> labels,
IReadOnlyList <string> cmd,
IReadOnlyList <string> entrypoint,
string workingDir,
IDictionary <string, string> nodeSelector,
V1ResourceRequirements resources,
IReadOnlyList <KubernetesModuleVolumeSpec> volumes,
V1PodSecurityContext securityContext)
{
this.Env = Option.Maybe(env);
this.ExposedPorts = Option.Maybe(exposedPorts);
this.HostConfig = Option.Maybe(hostConfig);
this.Image = Option.Maybe(image);
this.Labels = Option.Maybe(labels);
this.Cmd = Option.Maybe(cmd);
this.Entrypoint = Option.Maybe(entrypoint);
this.WorkingDir = Option.Maybe(workingDir);
this.NodeSelector = Option.Maybe(nodeSelector);
this.Resources = Option.Maybe(resources);
this.Volumes = Option.Maybe(volumes);
this.SecurityContext = Option.Maybe(securityContext);
}
internal static CreatePodParameters Create(
IReadOnlyList <string> env = null,
IDictionary <string, EmptyStruct> exposedPorts = null,
HostConfig hostConfig = null,
string image = null,
IDictionary <string, string> labels = null,
IDictionary <string, string> nodeSelector = null,
V1ResourceRequirements resources = null,
IReadOnlyList <KubernetesModuleVolumeSpec> volumes = null,
V1PodSecurityContext securityContext = null)
=> new CreatePodParameters(env, exposedPorts, hostConfig, image, labels, nodeSelector, resources, volumes, securityContext);
V1PodTemplateSpec GetPod(string name, IModuleIdentity identity, KubernetesModule module, IDictionary <string, string> labels)
{
// Convert docker labels to annotations because docker labels don't have the same restrictions as Kubernetes labels.
Dictionary <string, string> annotations = module.Config.CreateOptions.Labels
.Map(dockerLabels => dockerLabels.ToDictionary(label => KubeUtils.SanitizeAnnotationKey(label.Key), label => label.Value))
.GetOrElse(() => new Dictionary <string, string>());
annotations[KubernetesConstants.K8sEdgeOriginalModuleId] = ModuleIdentityHelper.GetModuleName(identity.ModuleId);
var(proxyContainer, proxyVolumes) = this.PrepareProxyContainer(module);
var(moduleContainer, moduleVolumes) = this.PrepareModuleContainer(name, identity, module);
bool?hostIpc = this.IsHostIpc(module.Config.CreateOptions);
var imagePullSecrets = new List <Option <string> > {
this.proxyImagePullSecretName, module.Config.AuthConfig.Map(auth => auth.Name)
}
.FilterMap()
.Distinct()
.Select(pullSecretName => new V1LocalObjectReference(pullSecretName))
.ToList();
V1PodSecurityContext securityContext = module.Config.CreateOptions.SecurityContext.GetOrElse(
() => this.runAsNonRoot
? new V1PodSecurityContext {
RunAsNonRoot = true, RunAsUser = 1000
}
: null);
return(new V1PodTemplateSpec
{
Metadata = new V1ObjectMeta
{
Name = name,
Labels = labels,
Annotations = annotations
},
Spec = new V1PodSpec
{
Containers = new List <V1Container> {
proxyContainer, moduleContainer
},
Volumes = proxyVolumes.Concat(moduleVolumes).ToList(),
ImagePullSecrets = imagePullSecrets.Any() ? imagePullSecrets : null,
SecurityContext = securityContext,
ServiceAccountName = name,
NodeSelector = module.Config.CreateOptions.NodeSelector.OrDefault(),
HostIPC = hostIpc,
}
});
}
internal static CreatePodParameters Create(
IReadOnlyList <string> env = null,
IDictionary <string, EmptyStruct> exposedPorts = null,
HostConfig hostConfig = null,
string image = null,
IDictionary <string, string> labels = null,
IReadOnlyList <string> cmd = null,
IReadOnlyList <string> entrypoint = null,
string workingDir = null,
IDictionary <string, string> nodeSelector = null,
V1ResourceRequirements resources = null,
IReadOnlyList <KubernetesModuleVolumeSpec> volumes = null,
V1PodSecurityContext securityContext = null,
KubernetesServiceOptions serviceOptions = null,
V1DeploymentStrategy deploymentStrategy = null)
=> new CreatePodParameters(env, exposedPorts, hostConfig, image, labels, cmd, entrypoint, workingDir, nodeSelector, resources, volumes, securityContext, serviceOptions, deploymentStrategy);
public void ApplyPodSecurityContextFromCreateOptionsWhenProvided()
{
var identity = new ModuleIdentity("hostname", "gatewayhost", "deviceid", "Module1", Mock.Of <ICredentials>());
var securityContext = new V1PodSecurityContext {
RunAsNonRoot = true, RunAsUser = 20001
};
var config = new KubernetesConfig("image", CreatePodParameters.Create(securityContext: securityContext), Option.Some(new AuthConfig("user-registry1")));
var module = new KubernetesModule("module1", "v1", "docker", ModuleStatus.Running, RestartPolicy.Always, DefaultConfigurationInfo, EnvVarsDict, config, ImagePullPolicy.OnCreate, EdgeletModuleOwner);
var labels = new Dictionary <string, string>();
var mapper = CreateMapper();
var deployment = mapper.CreateDeployment(identity, module, labels);
Assert.Equal(1, deployment.Spec.Template.Spec.ImagePullSecrets.Count);
Assert.Equal(true, deployment.Spec.Template.Spec.SecurityContext.RunAsNonRoot);
Assert.Equal(20001, deployment.Spec.Template.Spec.SecurityContext.RunAsUser);
}
