Merge pull request #119 from st-tech/support-security-context

Supports PodSecurityContext and Gatling runner container securityContext
st-tech · Jun 27, 2024 · 215d73b · 215d73b
2 parents 2b2b470 + 68ef585
commit 215d73b
Show file tree

Hide file tree

Showing 8 changed files with 417 additions and 19 deletions.
diff --git a/api/v1alpha1/gatling_types.go b/api/v1alpha1/gatling_types.go
@@ -100,6 +100,14 @@ type PodSpec struct {
 	// (Optional) volumes specification.
 	// +kubebuilder:validation:Optional
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
+
+	// (Optional) SecurityContext specification.
+	// +kubebuilder:validation:Optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
+
+	// (Optional) RunnerContainerSecurityContext specifies the SecurityContext of the Gatling runner container.
+	// +kubebuilder:validation:Optional
+	RunnerContainerSecurityContext *corev1.SecurityContext `json:"runnerContainerSecurityContext,omitempty"`
 }
 
 // TestScenarioSpec defines the load testing scenario

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml b/config/crd/bases/gatling-operator.tech.zozo.com_gatlings.yaml
diff --git a/config/samples/gatling-operator_v1alpha1_gatling01.yaml b/config/samples/gatling-operator_v1alpha1_gatling01.yaml
@@ -8,6 +8,13 @@ spec:
   notifyReport: false                                     # The flag of notifying gatling report
   cleanupAfterJobDone: true                               #  The flag of cleaning up gatling jobs resources after the job done
   podSpec:
+    securityContext:
+      sysctls:
+        - name: net.ipv4.ip_local_port_range
+          value: "1024 65535"
+    runnerContainerSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
     serviceAccountName: "gatling-operator-worker"
     gatlingImage: ghcr.io/st-tech/gatling:latest          # Optional. Default: ghcr.io/st-tech/gatling:latest. The image that will be used for Gatling container.
     rcloneImage: rclone/rclone                            # Optional. Default: rclone/rclone:latest. The image that will be used for rclone conatiner.

diff --git a/controllers/gatling_controller.go b/controllers/gatling_controller.go
@@ -563,6 +563,7 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga
 						Affinity:           r.getPodAffinity(gatling),
 						Tolerations:        r.getPodTolerations(gatling),
 						ServiceAccountName: r.getPodServiceAccountName(gatling),
+						SecurityContext:    r.getPodSecurityContext(gatling),
 						InitContainers: []corev1.Container{
 							{
 								Name:      "gatling-waiter",
@@ -580,13 +581,14 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga
 						},
 						Containers: []corev1.Container{
 							{
-								Name:         "gatling-runner",
-								Image:        r.getGatlingContainerImage(gatling),
-								Command:      []string{"/bin/sh", "-c"},
-								Args:         []string{gatlingRunnerCommand},
-								Env:          envVars,
-								Resources:    r.getPodResources(gatling),
-								VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling),
+								Name:            "gatling-runner",
+								Image:           r.getGatlingContainerImage(gatling),
+								Command:         []string{"/bin/sh", "-c"},
+								Args:            []string{gatlingRunnerCommand},
+								Env:             envVars,
+								Resources:       r.getPodResources(gatling),
+								VolumeMounts:    r.getGatlingRunnerJobVolumeMounts(gatling),
+								SecurityContext: r.getRunnerContainerSecurityContext(gatling),
 							},
 							{
 								Name:    "gatling-result-transferer",
@@ -630,6 +632,7 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga
 					Affinity:           r.getPodAffinity(gatling),
 					Tolerations:        r.getPodTolerations(gatling),
 					ServiceAccountName: r.getPodServiceAccountName(gatling),
+					SecurityContext:    r.getPodSecurityContext(gatling),
 					InitContainers: []corev1.Container{
 						{
 							Name:      "gatling-waiter",
@@ -647,13 +650,14 @@ func (r *GatlingReconciler) newGatlingRunnerJobForCR(gatling *gatlingv1alpha1.Ga
 					},
 					Containers: []corev1.Container{
 						{
-							Name:         "gatling-runner",
-							Image:        r.getGatlingContainerImage(gatling),
-							Command:      []string{"/bin/sh", "-c"},
-							Args:         []string{gatlingRunnerCommand},
-							Env:          envVars,
-							Resources:    r.getPodResources(gatling),
-							VolumeMounts: r.getGatlingRunnerJobVolumeMounts(gatling),
+							Name:            "gatling-runner",
+							Image:           r.getGatlingContainerImage(gatling),
+							Command:         []string{"/bin/sh", "-c"},
+							Args:            []string{gatlingRunnerCommand},
+							Env:             envVars,
+							Resources:       r.getPodResources(gatling),
+							VolumeMounts:    r.getGatlingRunnerJobVolumeMounts(gatling),
+							SecurityContext: r.getRunnerContainerSecurityContext(gatling),
 						},
 					},
 					RestartPolicy: "Never",
@@ -1110,6 +1114,22 @@ func (r *GatlingReconciler) getResultsDirectoryPath(gatling *gatlingv1alpha1.Gat
 	return path
 }
 
+func (r *GatlingReconciler) getPodSecurityContext(gatling *gatlingv1alpha1.Gatling) *corev1.PodSecurityContext {
+	securityContext := &corev1.PodSecurityContext{}
+	if &gatling.Spec.PodSpec != nil && &gatling.Spec.PodSpec.SecurityContext != nil {
+		securityContext = gatling.Spec.PodSpec.SecurityContext
+	}
+	return securityContext
+}
+
+func (r *GatlingReconciler) getRunnerContainerSecurityContext(gatling *gatlingv1alpha1.Gatling) *corev1.SecurityContext {
+	securityContext := &corev1.SecurityContext{}
+	if &gatling.Spec.PodSpec != nil && &gatling.Spec.PodSpec.RunnerContainerSecurityContext != nil {
+		securityContext = gatling.Spec.PodSpec.RunnerContainerSecurityContext
+	}
+	return securityContext
+}
+
 func (r *GatlingReconciler) getGenerateLocalReport(gatling *gatlingv1alpha1.Gatling) bool {
 	if &gatling.Spec.GenerateLocalReport == nil {
 		return false

diff --git a/controllers/gatling_controller_test.go b/controllers/gatling_controller_test.go
@@ -37,6 +37,15 @@ var _ = Context("Inside of a new namespace", func() {
 					GenerateReport:      false,
 					NotifyReport:        false,
 					CleanupAfterJobDone: false,
+					PodSpec: gatlingv1alpha1.PodSpec{
+						SecurityContext: &corev1.PodSecurityContext{
+							Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"}},
+						},
+						RunnerContainerSecurityContext: &corev1.SecurityContext{
+							RunAsUser:  pointer.Int64Ptr(1000),
+							RunAsGroup: pointer.Int64Ptr(1000),
+						},
+					},
 					TestScenarioSpec: gatlingv1alpha1.TestScenarioSpec{
 						SimulationClass: "MyBasicSimulation",
 					},

diff --git a/docs/api.md b/docs/api.md
@@ -24,8 +24,7 @@ _Appears in:_
 
 | Field | Description |
 | --- | --- |
-| `provider` _string_ | (Required) Provider specifies the cloud provider that will be used.
-Supported providers: `aws`, `gcp`, and `azure` |
+| `provider` _string_ | (Required) Provider specifies the cloud provider that will be used. Supported providers: `aws`, `gcp`, and `azure` |
 | `bucket` _string_ | (Required) Storage Bucket Name. |
 | `region` _string_ | (Optional) Region Name. |
 | `env` _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#envvar-v1-core) array_ | (Optional) Environment variables used for connecting to the cloud providers. |
@@ -83,8 +82,7 @@ _Appears in:_
 
 | Field | Description |
 | --- | --- |
-| `provider` _string_ | (Required) Provider specifies notification service provider.
-Supported providers: `slack` |
+| `provider` _string_ | (Required) Provider specifies notification service provider. Supported providers: `slack` |
 | `secretName` _string_ | (Required) The name of secret in which all key/value sets needed for the notification are stored. |
 
 
@@ -136,6 +134,8 @@ _Appears in:_
 | `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#toleration-v1-core) array_ | (Optional) Tolerations specification. |
 | `serviceAccountName` _string_ | (Required) ServiceAccountName specification. |
 | `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volume-v1-core) array_ | (Optional) volumes specification. |
+| `securityContext` _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core)_ | (Optional) SecurityContext specification. |
+| `runnerContainerSecurityContext` _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core)_ | (Optional) RunnerContainerSecurityContext specifies the SecurityContext of the Gatling runner container. |
 
 
 #### TestScenarioSpec

diff --git a/gatling/Dockerfile b/gatling/Dockerfile
@@ -5,6 +5,10 @@
 
 FROM openjdk:21-jdk-slim-bullseye
 
+# create user/group
+RUN groupadd -g 1000 gatling && \
+  useradd -l -u 1000 -m gatling -g gatling
+
 # working directory for gatling
 WORKDIR /opt
 
@@ -22,7 +26,8 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y wget unzip &&  \
   mkdir -p /tmp/archive && cd /tmp/archive && \
   unzip /tmp/downloads/gatling-$GATLING_VERSION.zip && \
   mv /tmp/archive/gatling-charts-highcharts-bundle-$GATLING_VERSION/* /opt/gatling/ && \
-  rm -rf /opt/gatling/user-files/simulations/computerdatabase /tmp/*
+  rm -rf /opt/gatling/user-files/simulations/computerdatabase /tmp/*  && \
+  chown -R gatling:gatling /opt/gatling
 
 # change context to gatling directory
 WORKDIR  /opt/gatling