[camel-k] 13/15: feat(buildah): Only request extra security context capabilities on OpenShift

Wed, 26 Feb 2020 10:35:19 -0800 

This is an automated email from the ASF dual-hosted git repository.

astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit d51386de6680f538abf400aae1a81af42b5fb47d
Author: Antonin Stefanutti <anto...@stefanutti.fr>
AuthorDate: Wed Feb 26 10:51:32 2020 +0100

    feat(buildah): Only request extra security context capabilities on OpenShift
---
 pkg/trait/builder.go | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/pkg/trait/builder.go b/pkg/trait/builder.go
index 76df2ac..02f8bcf 100644
--- a/pkg/trait/builder.go
+++ b/pkg/trait/builder.go
@@ -280,6 +280,20 @@ func (t *builderTrait) buildahTask(e *Environment) 
(*v1.ImageTask, error) {
                args = append([]string{auth}, args...)
        }
 
+       var sc *corev1.SecurityContext
+       if e.Platform.Status.Cluster == v1.IntegrationPlatformClusterOpenShift {
+               // This requires the builder service account to have privileged 
SCC on OpenShift
+               // It should be removed when Buildah fully supports 
unprivileged build
+               sc = &corev1.SecurityContext{
+                       Capabilities: &corev1.Capabilities{
+                               Add: []corev1.Capability{
+                                       "SETGID",
+                                       "SETUID",
+                               },
+                       },
+               }
+       }
+
        return &v1.ImageTask{
                ContainerTask: v1.ContainerTask{
                        BaseTask: v1.BaseTask{
@@ -287,21 +301,12 @@ func (t *builderTrait) buildahTask(e *Environment) 
(*v1.ImageTask, error) {
                                Volumes:      volumes,
                                VolumeMounts: volumeMounts,
                        },
-                       Image:      fmt.Sprintf("quay.io/buildah/stable:v%s", 
defaults.BuildahVersion),
-                       Command:    []string{"/bin/sh", "-c"},
-                       Args:       []string{strings.Join(args, " && ")},
-                       Env:        env,
-                       WorkingDir: path.Join(builderDir, 
e.IntegrationKit.Name, "context"),
-                       // This requires the builder service account to have 
privileged SCC on OpenShift
-                       // It should be removed when Buildah fully supports 
unprivileged build
-                       SecurityContext: &corev1.SecurityContext{
-                               Capabilities: &corev1.Capabilities{
-                                       Add: []corev1.Capability{
-                                               "SETGID",
-                                               "SETUID",
-                                       },
-                               },
-                       },
+                       Image:           
fmt.Sprintf("quay.io/buildah/stable:v%s", defaults.BuildahVersion),
+                       Command:         []string{"/bin/sh", "-c"},
+                       Args:            []string{strings.Join(args, " && ")},
+                       Env:             env,
+                       WorkingDir:      path.Join(builderDir, 
e.IntegrationKit.Name, "context"),
+                       SecurityContext: sc,
                },
                BuiltImage: image,
        }, nil

Reply via email to