added PodSecurityContext

knative · Feb 20, 2024 · a3f6e06 · a3f6e06
1 parent e0a8a28
commit a3f6e06
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 18 deletions.
diff --git a/cmd/create.go b/cmd/create.go
@@ -178,8 +178,19 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory)
 		dirName      string
 		absolutePath string
 	)
+    client, done := newClient(ClientConfig{Verbose: cfg.Verbose})
+	defer done()
 
-	if len(args) >= 1 {
+	// IN confirm mode.  If also in an interactive terminal, run prompts.
+	if  len(args)<1 {
+		createdCfg, err := cfg.prompt(client)
+		if err != nil {
+			return createdCfg, err
+		}
+		fmt.Println("Command:")
+		fmt.Println(singleCommand(cmd, args, createdCfg))
+		return createdCfg, nil
+	}else {
 		path = args[0]
 	}
 
@@ -206,20 +217,6 @@ func newCreateConfig(cmd *cobra.Command, args []string, newClient ClientFactory)
 
 	// Create a tempoarary client for use by the following prompts to complete
 	// runtime/template suggestions etc
-	client, done := newClient(ClientConfig{Verbose: cfg.Verbose})
-	defer done()
-
-	// IN confirm mode.  If also in an interactive terminal, run prompts.
-	if interactiveTerminal() {
-		createdCfg, err := cfg.prompt(client)
-		if err != nil {
-			return createdCfg, err
-		}
-		fmt.Println("Command:")
-		fmt.Println(singleCommand(cmd, args, createdCfg))
-		return createdCfg, nil
-	}
-
 	// Confirming, but noninteractive
 	// Print out the final values as a confirmation.  Only show Repository or
 	// Repositories, not both (repository takes precedence) in order to avoid

diff --git a/pkg/functions/function.go b/pkg/functions/function.go
@@ -141,7 +141,9 @@ type RunSpec struct {
 
 	// Env variables to be set
 	Envs Envs `yaml:"envs,omitempty"`
-
+
+	// PodSecurityContext to be set for read and write permission
+	PodSecurityContext PodSecurityContext `yaml:"podSecurityContext, omitempty"`
 	// StartTimeout specifies that this function should have a custom timeout
 	// when starting. This setting is currently respected by the host runner,
 	// with containerized docker runner and deployed Knative service integration

diff --git a/pkg/knative/deployer.go b/pkg/knative/deployer.go
@@ -435,7 +435,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator) (*v1.Service,
 	for k, v := range annotations {
 		revisionAnnotations[k] = v
 	}
-
+    PodSecurityContext := getPodSecurityContext(f.Run)
 	service := &v1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        f.Name,
@@ -451,6 +451,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator) (*v1.Service,
 					},
 					Spec: v1.RevisionSpec{
 						PodSpec: corev1.PodSpec{
+							SecurityContext: PodSecurityContext,
 							Containers: []corev1.Container{
 								container,
 							},
@@ -1075,3 +1076,13 @@ func setServiceOptions(template *v1.RevisionTemplateSpec, options fn.Options) er
 
 	return servingclientlib.UpdateRevisionTemplateAnnotations(template, toUpdate, toRemove)
 }
+
+func getPodSecurityContext(RunSpec fn.RunSpec) *corev1.PodSecurityContext{
+    return &corev1.PodSecurityContext{
+		RunAsUser: RunSpec.PodSecurityContext.RunAsUser,
+		RunAsGroup: RunSpec.PodSecurityContext.RunAsGroup,
+		RunAsNonRoot: RunSpec.PodSecurityContext.RunAsNonRoot,
+		FSGroup: RunSpec.PodSecurityContext.FSGroup,
+	}
+
+}
diff --git a/schema/func_yaml-schema.json b/schema/func_yaml-schema.json
@@ -16,7 +16,7 @@
 						}
 					},
 					"type": "object",
-					"description": "BuilderImages define optional explicit builder images to use by\nbuilder implementations in leau of the in-code defaults.  They key\nis the builder's short name.  For example:\nbuilderImages:\n  pack: example.com/user/my-pack-node-builder\n  s2i: example.com/user/my-s2i-node-builder"
+					"description// with containerized docker runner and deployed Knative service integration": "BuilderImages define optional explicit builder images to use by\nbuilder implementations in leau of the in-code defaults.  They key\nis the builder's short name.  For example:\nbuilderImages:\n  pack: example.com/user/my-pack-node-builder\n  s2i: example.com/user/my-s2i-node-builder"
 				},
 				"buildpacks": {
 					"items": {
@@ -352,6 +352,26 @@
 					"type": "array",
 					"description": "Env variables to be set"
 				},
+				"podSecurityContext": {
+					"properties": {
+						"RunAsUser": {
+							"pattern": "^[-._a-zA-Z][-._a-zA-Z0-9]*$",
+							"type": "integer"
+						},
+						"RunAsGroup": {
+							"type": "integer"
+						},
+						"RunAsNonRoot":{
+							"type": "boolean"
+						},
+						"FSGroup":{
+							"type":"integer"
+						}
+					},
+					"additionalProperties": false,
+					"type": "object"
+
+				},
 				"startTimeout": {
 					"type": "integer",
 					"description": "StartTimeout specifies that this function should have a custom timeout\nwhen starting. This setting is currently respected by the host runner,\nwith containerized docker runner and deployed Knative service integration\nin development."