kubernetes-sigs/kustomize
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kustomize.git synced 2026-06-13 01:50:55 +00:00
Code Issues Packages Projects Releases 1 Wiki Activity

kyaml: add Network to ContainerFilter

Browse Source
This commit is contained in:
Igor Zibarev
2019-11-12 23:28:55 +03:00
parent 912a9c3baa
commit bfa5c59dc6
2 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
kyaml/kio/filters/container.go
View File

@@ -15,7 +15,7 @@ import (
"sigs.k8s.io/kustomize/kyaml/yaml" "sigs.k8s.io/kustomize/kyaml/yaml"
) )
// GrepFilter filters Resources using a container image. // ContainerFilter filters Resources using a container image.
// The container must start a process that reads the list of // The container must start a process that reads the list of
// input Resources from stdin, reads the Configuration from the env // input Resources from stdin, reads the Configuration from the env
// API_CONFIG, and writes the filtered Resources to stdout. // API_CONFIG, and writes the filtered Resources to stdout.
@@ -27,6 +27,9 @@ type ContainerFilter struct {
// Image is the container image to use to create a container. // Image is the container image to use to create a container.
Image string `yaml:"image,omitempty"` Image string `yaml:"image,omitempty"`
// Network is the container network to use.
Network string `yaml:"network,omitempty"`
// Config is the API configuration for the container and passed through the // Config is the API configuration for the container and passed through the
// API_CONFIG env var to the container. // API_CONFIG env var to the container.
// Typically a Kubernetes style Resource Config. // Typically a Kubernetes style Resource Config.
@@ -79,12 +82,18 @@ func (c *ContainerFilter) getArgs() []string {
// run the container using docker. this is simpler than using the docker // run the container using docker. this is simpler than using the docker
// libraries, and ensures things like auth work the same as if the container // libraries, and ensures things like auth work the same as if the container
// was run from the cli. // was run from the cli.
network := "none"
if c.Network != "" {
network = c.Network
}
args := []string{"docker", "run", args := []string{"docker", "run",
"--rm", // delete the container afterward "--rm", // delete the container afterward
"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR", // attach stdin, stdout, stderr "-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR", // attach stdin, stdout, stderr
// added security options // added security options
"--network", "none", // disable the network "--network", network,
"--user", "nobody", // run as nobody "--user", "nobody", // run as nobody
// don't make fs readonly because things like heredoc rely on writing tmp files // don't make fs readonly because things like heredoc rely on writing tmp files
"--security-opt=no-new-privileges", // don't allow the user to escalate privileges "--security-opt=no-new-privileges", // don't allow the user to escalate privileges

35
kyaml/kio/filters/container_test.go
View File

@@ -60,6 +60,41 @@ metadata:
assert.True(t, foundKyaml) assert.True(t, foundKyaml)
} }
func TestFilter_command_network(t *testing.T) {
cfg, err := yaml.Parse(`apiversion: apps/v1
kind: Deployment
metadata:
name: foo
`)
if !assert.NoError(t, err) {
return
}
instance := &ContainerFilter{
Image: "example.com:version",
Network: "test-net",
Config: cfg,
}
cmd, err := instance.getCommand()
if !assert.NoError(t, err) {
return
}
expected := []string{
"docker", "run",
"--rm",
"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR",
"--network", "test-net",
"--user", "nobody",
"--security-opt=no-new-privileges",
}
for _, e := range os.Environ() {
// the process env
expected = append(expected, "-e", strings.Split(e, "=")[0])
}
expected = append(expected, "example.com:version")
assert.Equal(t, expected, cmd.Args)
}
func TestFilter_Filter(t *testing.T) { func TestFilter_Filter(t *testing.T) {
cfg, err := yaml.Parse(`apiVersion: apps/v1 cfg, err := yaml.Parse(`apiVersion: apps/v1
kind: Deployment kind: Deployment