chore(controller): add pod default security

duanhongyi · duanhongyi · commit 98c598ea30ef · 2024-01-26T17:57:49.000+08:00
diff --git a/rootfs/api/models/app.py b/rootfs/api/models/app.py
@@ -1126,11 +1126,12 @@ def _gather_app_settings(self, release, app_settings, process_type, replicas, vo
             "name": _.name,
             "claimName": _.name,
         } for _ in volumes] if volumes else []
-
+        volumes_info.extend(json.loads(settings.KUBERNETES_POD_DEFAULT_VOLUMES))
         volume_mounts_info = [{
             "name": _.name,
             "mount_path": _.path.get(process_type),
         } for _ in volumes] if volumes else []
+        volume_mounts_info.extend(json.loads(settings.KUBERNETES_POD_DEFAULT_VOLUME_MOUNTS))
 
         return {
             'memory': memory,
@@ -1161,4 +1162,5 @@ def _gather_app_settings(self, release, app_settings, process_type, replicas, vo
             'image_pull_policy': image_pull_policy,
             'volumes': volumes_info,
             'volume_mounts': volume_mounts_info,
+            'security_context': json.loads(settings.KUBERNETES_POD_DEFAULT_SECURITY_CONTEXT),
         }
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -364,8 +364,22 @@
 KUBERNETES_LIMITS_MIN_VOLUME = int(os.environ.get('KUBERNETES_LIMITS_MIN_VOLUME', 1))
 # Max Stroage Volume limit, units are represented in Gigabytes(G)
 KUBERNETES_LIMITS_MAX_VOLUME = int(os.environ.get('KUBERNETES_LIMITS_MAX_VOLUME', 1024 * 16))
+# Default pod spec volumes for application.
+KUBERNETES_POD_DEFAULT_VOLUMES = os.environ.get('KUBERNETES_POD_DEFAULT_VOLUMES', '[]')
+# Default pod spec volume mounts for application.
+KUBERNETES_POD_DEFAULT_VOLUME_MOUNTS = os.environ.get('KUBERNETES_POD_DEFAULT_VOLUME_MOUNTS', '[]')
+# Default pod spec security context for application.
+KUBERNETES_POD_DEFAULT_SECURITY_CONTEXT = os.environ.get(
+    'KUBERNETES_POD_DEFAULT_SECURITY_CONTEXT',
+    json.dumps({
+        'capabilities': {
+            'add': ['SYS_ADMIN']
+        },
+        'allowPrivilegeEscalation': True,
+    })
+)
 
-# Default pod spec for application.
+# Default pod spec resources for application.
 KUBERNETES_POD_DEFAULT_RESOURCES = os.environ.get(
     'KUBERNETES_POD_DEFAULT_RESOURCES',
     json.dumps({
diff --git a/rootfs/scheduler/resources/pod.py b/rootfs/scheduler/resources/pod.py
@@ -213,7 +213,8 @@ def _set_container(self, namespace, container_name, data, **kwargs):
         data['imagePullPolicy'] = kwargs.get('image_pull_policy')
         # add in any volumes that need to be mounted into the container
         data['volumeMounts'] = kwargs.get('volumeMounts', [])
-
+        # set the security context to use
+        data["securityContext"] = kwargs.get('security_context', {})
         # create env list if missing
         if 'env' not in data:
             data['env'] = []
