Skip to content

Commit

Permalink
* Replace the privileged field with the securityContext field.
Browse files Browse the repository at this point in the history 
* Use the json string as args for volume, volumeMount and securityContext in vineyardctl.

Signed-off-by: Ye Cao <[email protected]>
  • Loading branch information
@dashanji
dashanji committed Dec 19, 2023
1 parent 0a4f4ca commit 1dec834
Show file tree
Hide file tree
Showing 17 changed files with 203 additions and 101 deletions.
8 changes: 0 additions & 8 deletions charts/vineyard-operator/templates/backup-crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,6 @@ spec:
uid:
type: string
type: object
x-kubernetes-map-type: granular
csi:
properties:
controllerExpandSecretRef:
Expand All @@ -268,13 +267,6 @@ spec:
type: string
fsType:
type: string
nodeExpandSecretRef:
properties:
name:
type: string
namespace:
type: string
type: object
nodePublishSecretRef:
properties:
name:
Expand Down
8 changes: 0 additions & 8 deletions charts/vineyard-operator/templates/sidecar-crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,6 @@ spec:
uid:
type: string
type: object
x-kubernetes-map-type: granular
csi:
properties:
controllerExpandSecretRef:
Expand All @@ -398,13 +397,6 @@ spec:
type: string
fsType:
type: string
nodeExpandSecretRef:
properties:
name:
type: string
namespace:
type: string
type: object
nodePublishSecretRef:
properties:
name:
Expand Down
72 changes: 61 additions & 11 deletions charts/vineyard-operator/templates/vineyardd-crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,70 @@ spec:
default: ghcr.io/v6d-io/v6d/recover-job
type: string
type: object
privileged:
default: false
type: boolean
replicas:
default: 3
type: integer
securityContext:
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
properties:
add:
items:
type: string
type: array
drop:
items:
type: string
type: array
type: object
privileged:
type: boolean
procMount:
type: string
readOnlyRootFilesystem:
type: boolean
runAsGroup:
format: int64
type: integer
runAsNonRoot:
type: boolean
runAsUser:
format: int64
type: integer
seLinuxOptions:
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
type: object
seccompProfile:
properties:
localhostProfile:
type: string
type:
type: string
required:
- type
type: object
windowsOptions:
properties:
gmsaCredentialSpec:
type: string
gmsaCredentialSpecName:
type: string
hostProcess:
type: boolean
runAsUserName:
type: string
type: object
type: object
service:
default:
port: 9600
Expand Down Expand Up @@ -413,7 +471,6 @@ spec:
uid:
type: string
type: object
x-kubernetes-map-type: granular
csi:
properties:
controllerExpandSecretRef:
Expand All @@ -434,13 +491,6 @@ spec:
type: string
fsType:
type: string
nodeExpandSecretRef:
properties:
name:
type: string
namespace:
type: string
type: object
nodePublishSecretRef:
properties:
name:
Expand Down
2 changes: 1 addition & 1 deletion k8s/apis/k8s/v1alpha1/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -587,7 +587,7 @@ _Appears in:_
| `pluginImage` _[PluginImageConfig](#pluginimageconfig)_ | operation container configuration nolint: lll |
| `metric` _[MetricConfig](#metricconfig)_ | metric container configuration |
| `socketVolume` _[VolumeConfig](#volumeconfig)_ | Socket Volume configuration |
| `privileged` _boolean_ | Privileged is a flag that indicates whether the vineyardd container should be run in privileged mode. |
| `securityContext` _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core)_ | SecurityContext holds the security context settings for the vineyardd container. |
| `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#volume-v1-core) array_ | Volumes is the list of Kubernetes volumes that can be mounted by the vineyard deployment. |
| `volumeMounts` _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#volumemount-v1-core) array_ | VolumeMounts specifies the volumes listed in ".spec.volumes" to mount into the vineyard deployment. |

Expand Down
6 changes: 3 additions & 3 deletions k8s/apis/k8s/v1alpha1/vineyardd_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,10 +228,10 @@ type VineyarddSpec struct {
// +kubebuilder:default:={pvcName: "", mountPath: ""}
SocketVolume VolumeConfig `json:"socketVolume,omitempty"`

// Privileged is a flag that indicates whether the vineyardd container should be run in privileged mode.
// SecurityContext holds the security context settings for the vineyardd container.
// +kubebuilder:validation:Optional
// +kubebuilder:default:=false
Privileged bool `json:"privileged,omitempty"`
// +kubebuilder:default:={}
SecurityContext corev1.SecurityContext `json:"securityContext,omitempty"`

// Volumes is the list of Kubernetes volumes that can be mounted by the vineyard deployment.
// +kubebuilder:validation:Optional
Expand Down
1 change: 1 addition & 0 deletions k8s/apis/k8s/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 13 additions & 6 deletions k8s/cmd/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -989,6 +989,7 @@ vineyardctl deploy vineyard-deployment [flags]
--pluginImage.localAssemblyImage string the local assembly image of vineyardd workflow (default "ghcr.io/v6d-io/v6d/local-assembly")
--pluginImage.recoverImage string the recover image of vineyardd (default "ghcr.io/v6d-io/v6d/recover-job")
--replicas int the number of vineyardd replicas (default 3)
--securityContext string the name of vineyardd
--vineyardd.cpu string the cpu requests and limits of vineyard container
--vineyardd.envs strings The environment variables of vineyardd
--vineyardd.image string the image of vineyardd (default "vineyardcloudnative/vineyardd:latest")
Expand All @@ -1002,15 +1003,17 @@ vineyardctl deploy vineyard-deployment [flags]
--vineyardd.service.type string the service type of vineyard service (default "ClusterIP")
--vineyardd.size string The size of vineyardd. You can use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki. Defaults "", means not limited
--vineyardd.socket string The directory on host for the IPC socket file. The namespace and name will be replaced with your vineyard config (default "/var/run/vineyard-kubernetes/{{.Namespace}}/{{.Name}}")
--vineyardd.socketVolume.mountPath string Set the mount path for the pvc
--vineyardd.socketVolume.pvcname string Set the pvc name for storing the vineyard objects persistently
--vineyardd.spill.config string If you want to enable the spill mechanism, please set the name of spill config
--vineyardd.spill.path string The path of spill config
--vineyardd.spill.pv-pvc-spec string the json string of the persistent volume and persistent volume claim
--vineyardd.spill.spillLowerRate string The low watermark of spilling memory (default "0.3")
--vineyardd.spill.spillUpperRate string The high watermark of spilling memory (default "0.8")
--vineyardd.streamThreshold int memory threshold of streams (percentage of total memory) (default 80)
--vineyardd.syncCRDs enable metrics of vineyardd (default true)
--vineyardd.volume.mountPath string Set the mount path for the pvc
--vineyardd.volume.pvcname string Set the pvc name for storing the vineyard objects persistently
--volume string the json string of vineyardd volume
--volumeMount string the json string of vineyardd volume mount
```

## `vineyardctl deploy vineyardd`
Expand Down Expand Up @@ -1122,6 +1125,7 @@ vineyardctl deploy vineyardd [flags]
--pluginImage.localAssemblyImage string the local assembly image of vineyardd workflow (default "ghcr.io/v6d-io/v6d/local-assembly")
--pluginImage.recoverImage string the recover image of vineyardd (default "ghcr.io/v6d-io/v6d/recover-job")
--replicas int the number of vineyardd replicas (default 3)
--securityContext string the name of vineyardd
--vineyardd.cpu string the cpu requests and limits of vineyard container
--vineyardd.envs strings The environment variables of vineyardd
--vineyardd.image string the image of vineyardd (default "vineyardcloudnative/vineyardd:latest")
Expand All @@ -1135,15 +1139,17 @@ vineyardctl deploy vineyardd [flags]
--vineyardd.service.type string the service type of vineyard service (default "ClusterIP")
--vineyardd.size string The size of vineyardd. You can use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki. Defaults "", means not limited
--vineyardd.socket string The directory on host for the IPC socket file. The namespace and name will be replaced with your vineyard config (default "/var/run/vineyard-kubernetes/{{.Namespace}}/{{.Name}}")
--vineyardd.socketVolume.mountPath string Set the mount path for the pvc
--vineyardd.socketVolume.pvcname string Set the pvc name for storing the vineyard objects persistently
--vineyardd.spill.config string If you want to enable the spill mechanism, please set the name of spill config
--vineyardd.spill.path string The path of spill config
--vineyardd.spill.pv-pvc-spec string the json string of the persistent volume and persistent volume claim
--vineyardd.spill.spillLowerRate string The low watermark of spilling memory (default "0.3")
--vineyardd.spill.spillUpperRate string The high watermark of spilling memory (default "0.8")
--vineyardd.streamThreshold int memory threshold of streams (percentage of total memory) (default 80)
--vineyardd.syncCRDs enable metrics of vineyardd (default true)
--vineyardd.volume.mountPath string Set the mount path for the pvc
--vineyardd.volume.pvcname string Set the pvc name for storing the vineyard objects persistently
--volume string the json string of vineyardd volume
--volumeMount string the json string of vineyardd volume mount
```

## `vineyardctl get`
Expand Down Expand Up @@ -1706,15 +1712,15 @@ vineyardctl inject [flags]
--sidecar.service.type string the service type of vineyard service (default "ClusterIP")
--sidecar.size string The size of vineyardd. You can use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki. Defaults "", means not limited
--sidecar.socket string The directory on host for the IPC socket file. The namespace and name will be replaced with your vineyard config (default "/var/run/vineyard-kubernetes/{{.Namespace}}/{{.Name}}")
--sidecar.socketVolume.mountPath string Set the mount path for the pvc
--sidecar.socketVolume.pvcname string Set the pvc name for storing the vineyard objects persistently
--sidecar.spill.config string If you want to enable the spill mechanism, please set the name of spill config
--sidecar.spill.path string The path of spill config
--sidecar.spill.pv-pvc-spec string the json string of the persistent volume and persistent volume claim
--sidecar.spill.spillLowerRate string The low watermark of spilling memory (default "0.3")
--sidecar.spill.spillUpperRate string The high watermark of spilling memory (default "0.8")
--sidecar.streamThreshold int memory threshold of streams (percentage of total memory) (default 80)
--sidecar.syncCRDs enable metrics of vineyardd (default true)
--sidecar.volume.mountPath string Set the mount path for the pvc
--sidecar.volume.pvcname string Set the pvc name for storing the vineyard objects persistently
```

## `vineyardctl inject argo-workflow`
Expand Down Expand Up @@ -2619,3 +2625,4 @@ vineyardctl schedule workload [flags]
--vineyardd-name string the namespace of vineyard cluster (default "vineyardd-sample")
--vineyardd-namespace string the namespace of vineyard cluster (default "vineyard-system")
```

2 changes: 1 addition & 1 deletion k8s/cmd/commands/delete/delete_vineyard_deployment_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func TestDeleteVineyardDeploymentCmd(t *testing.T) {
flags.VineyarddOpts.Vineyard.Memory = ""
flags.VineyarddOpts.Service.Port = 9600
flags.VineyarddOpts.Service.Type = "ClusterIP"
flags.VineyarddOpts.Volume.PvcName = ""
flags.VineyarddOpts.SocketVolume.PvcName = ""
flags.VineyarddOpts.Vineyard.Size = "256Mi"
c := util.KubernetesClient()
deployVineyardDeploymentCmd := deploy.NewDeployVineyardDeploymentCmd()
Expand Down
2 changes: 1 addition & 1 deletion k8s/cmd/commands/deploy/deploy_backup_job_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func TestDeployBackupJobCmd_second(t *testing.T) {
flags.VineyarddOpts.Vineyard.Memory = ""
flags.VineyarddOpts.Service.Port = 9600
flags.VineyarddOpts.Service.Type = service_type
flags.VineyarddOpts.Volume.PvcName = ""
flags.VineyarddOpts.SocketVolume.PvcName = ""
flags.VineyarddOpts.Vineyard.Size = size
deployVineyardDeploymentCmd := NewDeployVineyardDeploymentCmd()
deployVineyardDeploymentCmd.Run(deployVineyardDeploymentCmd, []string{})
Expand Down
2 changes: 1 addition & 1 deletion k8s/cmd/commands/deploy/deploy_recover_job_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func TestDeployRecoverJobCmd_second(t *testing.T) {
flags.VineyarddOpts.Vineyard.Memory = ""
flags.VineyarddOpts.Service.Port = 9600
flags.VineyarddOpts.Service.Type = service_type
flags.VineyarddOpts.Volume.PvcName = ""
flags.VineyarddOpts.SocketVolume.PvcName = ""
flags.VineyarddOpts.Vineyard.Size = size
deployVineyardDeploymentCmd := NewDeployVineyardDeploymentCmd()
deployVineyardDeploymentCmd.Run(deployVineyardDeploymentCmd, []string{})
Expand Down
37 changes: 13 additions & 24 deletions k8s/cmd/commands/deploy/deploy_vineyardd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,13 @@ limitations under the License.
package deploy

import (
"io/ioutil"
"strings"
"time"

"github.com/avast/retry-go"
"github.com/pkg/errors"
"github.com/spf13/cobra"
"gopkg.in/yaml.v2"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/v6d-io/v6d/k8s/apis/k8s/v1alpha1"
Expand Down Expand Up @@ -184,14 +181,21 @@ func BuildVineyard() (*v1alpha1.Vineyardd, error) {
log.Fatal(err, "failed to build the vineyardd from input")
}
// parse the volume and volume mounts
volumeConfig, err := loadVolumeConfigFromFile(flags.VineyardVolumeConfigFile)
volumes, err := util.ParseVolume(flags.VineyardVolume)
if err != nil {
log.Fatal(err, "failed to load volume config")
log.Fatal(err, "failed to parse the volumes")
}
vineyardd.Spec.Volumes = make([]corev1.Volume, 0)
vineyardd.Spec.Volumes = append(vineyardd.Spec.Volumes, volumeConfig.Volumes...)
vineyardd.Spec.VolumeMounts = make([]corev1.VolumeMount, 0)
vineyardd.Spec.VolumeMounts = append(vineyardd.Spec.VolumeMounts, volumeConfig.VolumeMounts...)
volumeMounts, err := util.ParseVolumeMount(flags.VineyardVolumeMount)
if err != nil {
log.Fatal(err, "failed to parse the volume mounts")
}
securityContext, err := util.ParseSecurityContext(flags.VineyardSecurityContext)
if err != nil {
log.Fatal(err, "failed to parse the security context")
}
vineyardd.Spec.Volumes = *volumes
vineyardd.Spec.VolumeMounts = *volumeMounts
vineyardd.Spec.SecurityContext = *securityContext
return vineyardd, nil
}

Expand Down Expand Up @@ -227,21 +231,6 @@ func BuildVineyardManifestFromInput() (*v1alpha1.Vineyardd, error) {
return vineyardd, nil
}

func loadVolumeConfigFromFile(filePath string) (flags.VolumeConfig, error) {
data, err := ioutil.ReadFile(filePath)
if err != nil {
return flags.VolumeConfig{}, err
}

var volumeConfig flags.VolumeConfig
err = yaml.Unmarshal(data, &volumeConfig)
if err != nil {
return flags.VolumeConfig{}, err
}

return volumeConfig, nil
}

// BuildVineyardManifestFromFile builds the vineyardd from file
func BuildVineyardManifestFromFile() (*v1alpha1.Vineyardd, error) {
vineyardd := &v1alpha1.Vineyardd{}
Expand Down
Loading

0 comments on commit 1dec834

Please sign in to comment.