From 80f5a9a468c28886bd5bffa1d1a0ea0cbf94b6a7 Mon Sep 17 00:00:00 2001 From: Gunjan Vyas Date: Wed, 17 Apr 2024 15:13:52 +0530 Subject: [PATCH] Populate container.SecurityContext.RunAsUser when --user flag is used (#1927) * Populate container.SecurityContext.RunAsUser when --user flag is used * unit test change to use security-context and user flags together --- pkg/kn/flags/podspec.go | 14 +++++++------- pkg/kn/flags/podspec_helper.go | 5 +++-- pkg/kn/flags/podspec_test.go | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/kn/flags/podspec.go b/pkg/kn/flags/podspec.go index 502cec14d..edc5b56a4 100644 --- a/pkg/kn/flags/podspec.go +++ b/pkg/kn/flags/podspec.go @@ -372,13 +372,6 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag UpdateImagePullSecrets(podSpec, p.ImagePullSecrets) } - if flags.Changed("user") { - err = UpdateUser(podSpec, p.User) - if err != nil { - return err - } - } - if flags.Changed("containers") || flags.Changed("extra-containers") || p.ExtraContainers == "-" { var fromFile *corev1.PodSpec fromFile, err = decodeContainersFromFile(p.ExtraContainers) @@ -418,5 +411,12 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag } } + if flags.Changed("user") { + err = UpdateUser(podSpec, p.User) + if err != nil { + return err + } + } + return nil } diff --git a/pkg/kn/flags/podspec_helper.go b/pkg/kn/flags/podspec_helper.go index 862b7b7b8..b9c0a672e 100644 --- a/pkg/kn/flags/podspec_helper.go +++ b/pkg/kn/flags/podspec_helper.go @@ -236,9 +236,10 @@ func UpdateContainerPort(spec *corev1.PodSpec, port string) error { // UpdateUser updates container with a given user id func UpdateUser(spec *corev1.PodSpec, user int64) error { container := containerOfPodSpec(spec) - container.SecurityContext = &corev1.SecurityContext{ - RunAsUser: &user, + if container.SecurityContext == nil { + container.SecurityContext = &v1.SecurityContext{} } + container.SecurityContext.RunAsUser = &user return nil } diff --git a/pkg/kn/flags/podspec_test.go b/pkg/kn/flags/podspec_test.go index aaec95b79..9934cddd2 100644 --- a/pkg/kn/flags/podspec_test.go +++ b/pkg/kn/flags/podspec_test.go @@ -71,7 +71,7 @@ func TestPodSpecResolve(t *testing.T) { "--port", "8080", "--limit", "cpu=1000m", "--limit", "memory=1024Mi", "--cmd", "/app/start", "--arg", "myArg1", "--service-account", "foo-bar-account", "--mount", "/mount/path=volume-name", "--volume", "volume-name=cm:config-map-name", - "--env-from", "config-map:config-map-name", "--user", "1001", "--pull-policy", "always", + "--env-from", "config-map:config-map-name", "--user", "1001", "--security-context", "none", "--pull-policy", "always", "--probe-readiness", "http::8080:/path", "--probe-liveness", "http::8080:/path"} expectedPodSpec := corev1.PodSpec{ Containers: []corev1.Container{