Populate container.SecurityContext.RunAsUser when --user flag is used (#1927)

* Populate container.SecurityContext.RunAsUser when --user flag is used * unit test change to use security-context and user flags together
2024-04-17 15:13:52 +05:30 · 2024-04-17 15:13:52 +05:30 · 80f5a9a468
parent 7ebac24b8d
commit 80f5a9a468
3 changed files with 11 additions and 10 deletions
--- a/pkg/kn/flags/podspec.go
+++ b/pkg/kn/flags/podspec.go
@ -372,13 +372,6 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag
 		UpdateImagePullSecrets(podSpec, p.ImagePullSecrets)
 	}

-	if flags.Changed("user") {
-		err = UpdateUser(podSpec, p.User)
-		if err != nil {
-			return err
-		}
-	}
-
 	if flags.Changed("containers") || flags.Changed("extra-containers") || p.ExtraContainers == "-" {
 		var fromFile *corev1.PodSpec
 		fromFile, err = decodeContainersFromFile(p.ExtraContainers)
@ -418,5 +411,12 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag
 		}
 	}

+	if flags.Changed("user") {
+		err = UpdateUser(podSpec, p.User)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/pkg/kn/flags/podspec_helper.go
+++ b/pkg/kn/flags/podspec_helper.go
@ -236,9 +236,10 @@ func UpdateContainerPort(spec *corev1.PodSpec, port string) error {
 // UpdateUser updates container with a given user id
 func UpdateUser(spec *corev1.PodSpec, user int64) error {
 	container := containerOfPodSpec(spec)
-	container.SecurityContext = &corev1.SecurityContext{
-		RunAsUser: &user,
+	if container.SecurityContext == nil {
+		container.SecurityContext = &v1.SecurityContext{}
 	}
+	container.SecurityContext.RunAsUser = &user
 	return nil
 }

--- a/pkg/kn/flags/podspec_test.go
+++ b/pkg/kn/flags/podspec_test.go
@ -71,7 +71,7 @@ func TestPodSpecResolve(t *testing.T) {
 		"--port", "8080", "--limit", "cpu=1000m", "--limit", "memory=1024Mi",
 		"--cmd", "/app/start", "--arg", "myArg1", "--service-account", "foo-bar-account",
 		"--mount", "/mount/path=volume-name", "--volume", "volume-name=cm:config-map-name",
-		"--env-from", "config-map:config-map-name", "--user", "1001", "--pull-policy", "always",
+		"--env-from", "config-map:config-map-name", "--user", "1001", "--security-context", "none", "--pull-policy", "always",
 		"--probe-readiness", "http::8080:/path", "--probe-liveness", "http::8080:/path"}
 	expectedPodSpec := corev1.PodSpec{
 		Containers: []corev1.Container{