add support for pod level securityContext

arttor · Sep 12, 2024 · 1474644 · 1474644
1 parent 1be11fb
commit 1474644
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 0 deletions.
diff --git a/pkg/processor/pod/pod.go b/pkg/processor/pod/pod.go
@@ -60,6 +60,23 @@ func ProcessSpec(objName string, appMeta helmify.AppMetadata, spec corev1.PodSpe
 	if err != nil {
 		return nil, nil, err
 	}
+	if spec.SecurityContext != nil {
+		securityContextMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&spec.SecurityContext)
+		if err != nil {
+			return nil, nil, err
+		}
+		if len(securityContextMap) > 0 {
+			err = unstructured.SetNestedField(specMap, fmt.Sprintf(`{{- toYaml .Values.%[1]s.podSecurityPolicy | nindent 8 }}`, objName), "securityContext")
+			if err != nil {
+				return nil, nil, err
+			}
+
+			err = unstructured.SetNestedField(values, securityContextMap, objName, "podSecurityPolicy")
+			if err != nil {
+				return nil, nil, fmt.Errorf("%w: unable to set deployment value field", err)
+			}
+		}
+	}
 
 	// process nodeSelector if presented:
 	if spec.NodeSelector != nil {

diff --git a/pkg/processor/pod/pod_test.go b/pkg/processor/pod/pod_test.go
@@ -110,6 +110,33 @@ spec:
         image: localhost:6001/my_project:latest
         ports:
         - containerPort: 80
+`
+	strDeploymentWithPodSecurityContext = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: localhost:6001/my_project:latest
+      securityContext:
+        fsGroup: 20000
+        runAsGroup: 30000
+        runAsNonRoot: true
+        runAsUser: 65532
+
 `
 )
 
@@ -274,5 +301,45 @@ func Test_pod_Process(t *testing.T) {
 			},
 		}, tmpl)
 	})
+	t.Run("deployment with securityContext", func(t *testing.T) {
+		var deploy appsv1.Deployment
+		obj := internal.GenerateObj(strDeploymentWithPodSecurityContext)
+		err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, &deploy)
+		specMap, tmpl, err := ProcessSpec("nginx", &metadata.Service{}, deploy.Spec.Template.Spec)
+		assert.NoError(t, err)
+		assert.Equal(t, map[string]interface{}{
+			"containers": []interface{}{
+				map[string]interface{}{
+					"env": []interface{}{
+						map[string]interface{}{
+							"name":  "KUBERNETES_CLUSTER_DOMAIN",
+							"value": "{{ quote .Values.kubernetesClusterDomain }}",
+						},
+					},
+					"image":     "{{ .Values.nginx.nginx.image.repository }}:{{ .Values.nginx.nginx.image.tag | default .Chart.AppVersion }}",
+					"name":      "nginx",
+					"resources": map[string]interface{}{},
+				},
+			},
+			"securityContext": "{{- toYaml .Values.nginx.podSecurityPolicy | nindent 8 }}",
+		}, specMap)
+
+		assert.Equal(t, helmify.Values{
+			"nginx": map[string]interface{}{
+				"podSecurityPolicy": map[string]interface{}{
+					"fsGroup":      int64(20000),
+					"runAsGroup":   int64(30000),
+					"runAsNonRoot": true,
+					"runAsUser":    int64(65532),
+				},
+				"nginx": map[string]interface{}{
+					"image": map[string]interface{}{
+						"repository": "localhost:6001/my_project",
+						"tag":        "latest",
+					},
+				},
+			},
+		}, tmpl)
+	})
 
 }