ood_core 0.15.0 → 0.15.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -1
- data/lib/ood_core/job/adapters/kubernetes/batch.rb +2 -2
- data/lib/ood_core/job/adapters/kubernetes/helper.rb +3 -3
- data/lib/ood_core/job/adapters/kubernetes/resources.rb +5 -3
- data/lib/ood_core/job/adapters/kubernetes/templates/pod.yml.erb +24 -0
- data/lib/ood_core/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fde32140cb148c6ea939a1d2308446e9144aad5c853fc8c41ea839beadedf03b
|
|
4
|
+
data.tar.gz: 5925bb0f8576864a3e37696d1c5b32a258edac5ebf78d07a6d509f4ec77c2339
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c9e1d0bd9e423af5289a445c12438875ae5d74b25295c8917209f19ec69b8e84bdb74b6f4ae2da3450a344398e8d96da4ae464498a38c9146d87fff1d1bbb2dd
|
|
7
|
+
data.tar.gz: b8daebdca0ed93b8d2ebb9089657efbb2b5a88e0b78b76607090b7c5befb96fbaa4a51e820b0236dc596d76c81b8110d1d8b53090f38abbfe01e00d411c96cd5
|
data/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
|
|
6
6
|
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
|
+
## [0.15.1] - 2021-02-25
|
|
10
|
+
### Fixed
|
|
11
|
+
- kubernetes adapter uses the full module for helpers in [245](https://github.com/OSC/ood_core/pull/245).
|
|
12
|
+
|
|
13
|
+
### Changed
|
|
14
|
+
- kubernetes pods spawn with runAsNonRoot set to true in [247](https://github.com/OSC/ood_core/pull/247).
|
|
15
|
+
- kubernetes pods can spawn with supplemental groups along with some other in security defaults in
|
|
16
|
+
[246](https://github.com/OSC/ood_core/pull/246).
|
|
17
|
+
|
|
9
18
|
## [0.15.0] - 2021-01-26
|
|
10
19
|
### Fixed
|
|
11
20
|
- ccq adapter now accepts job names with spaces in [210](https://github.com/OSC/ood_core/pull/209)
|
|
@@ -273,7 +282,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
273
282
|
### Added
|
|
274
283
|
- Initial release!
|
|
275
284
|
|
|
276
|
-
[Unreleased]: https://github.com/OSC/ood_core/compare/v0.15.
|
|
285
|
+
[Unreleased]: https://github.com/OSC/ood_core/compare/v0.15.1...HEAD
|
|
286
|
+
[0.15.1]: https://github.com/OSC/ood_core/compare/v0.15.0...v0.15.1
|
|
277
287
|
[0.15.0]: https://github.com/OSC/ood_core/compare/v0.14.0...v0.15.0
|
|
278
288
|
[0.14.0]: https://github.com/OSC/ood_core/compare/v0.13.0...v0.14.0
|
|
279
289
|
[0.13.0]: https://github.com/OSC/ood_core/compare/v0.12.0...v0.13.0
|
|
@@ -27,7 +27,7 @@ class OodCore::Job::Adapters::Kubernetes::Batch
|
|
|
27
27
|
@namespace_prefix = options.fetch(:namespace_prefix, '')
|
|
28
28
|
|
|
29
29
|
@using_context = false
|
|
30
|
-
@helper = Helper.new
|
|
30
|
+
@helper = OodCore::Job::Adapters::Kubernetes::Helper.new
|
|
31
31
|
|
|
32
32
|
begin
|
|
33
33
|
make_kubectl_config(options)
|
|
@@ -173,7 +173,7 @@ class OodCore::Job::Adapters::Kubernetes::Batch
|
|
|
173
173
|
id = generate_id(container.name)
|
|
174
174
|
configmap = helper.configmap_from_native(native_data, id)
|
|
175
175
|
init_containers = helper.init_ctrs_from_native(native_data[:init_containers])
|
|
176
|
-
spec = Kubernetes::Resources::PodSpec.new(container, init_containers: init_containers)
|
|
176
|
+
spec = OodCore::Job::Adapters::Kubernetes::Resources::PodSpec.new(container, init_containers: init_containers)
|
|
177
177
|
all_mounts = native_data[:mounts].nil? ? mounts : mounts + native_data[:mounts]
|
|
178
178
|
|
|
179
179
|
template = ERB.new(File.read(resource_file), nil, '-')
|
|
@@ -29,7 +29,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
|
|
|
29
29
|
|
|
30
30
|
pod_hash.deep_merge!(service_hash)
|
|
31
31
|
pod_hash.deep_merge!(secret_hash)
|
|
32
|
-
K8sJobInfo.new(pod_hash)
|
|
32
|
+
OodCore::Job::Adapters::Kubernetes::K8sJobInfo.new(pod_hash)
|
|
33
33
|
rescue NoMethodError
|
|
34
34
|
raise K8sDataError, "unable to read data correctly from json"
|
|
35
35
|
end
|
|
@@ -40,7 +40,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
|
|
|
40
40
|
# the input container hash
|
|
41
41
|
# @return [OodCore::Job::Adapters::Kubernetes::Resources::Container]
|
|
42
42
|
def container_from_native(container)
|
|
43
|
-
Kubernetes::Resources::Container.new(
|
|
43
|
+
OodCore::Job::Adapters::Kubernetes::Resources::Container.new(
|
|
44
44
|
container[:name],
|
|
45
45
|
container[:image],
|
|
46
46
|
command: parse_command(container[:command]),
|
|
@@ -81,7 +81,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
|
|
|
81
81
|
configmap = native.fetch(:configmap, nil)
|
|
82
82
|
return nil if configmap.nil?
|
|
83
83
|
|
|
84
|
-
Kubernetes::Resources::ConfigMap.new(
|
|
84
|
+
OodCore::Job::Adapters::Kubernetes::Resources::ConfigMap.new(
|
|
85
85
|
configmap_name(id),
|
|
86
86
|
configmap[:filename],
|
|
87
87
|
configmap[:data]
|
|
@@ -12,11 +12,11 @@ module OodCore::Job::Adapters::Kubernetes::Resources
|
|
|
12
12
|
|
|
13
13
|
class Container
|
|
14
14
|
attr_accessor :name, :image, :command, :port, :env, :memory, :cpu, :working_dir,
|
|
15
|
-
:restart_policy
|
|
15
|
+
:restart_policy, :supplemental_groups
|
|
16
16
|
|
|
17
17
|
def initialize(
|
|
18
18
|
name, image, command: [], port: nil, env: [], memory: "4Gi", cpu: "1",
|
|
19
|
-
working_dir: "", restart_policy: "Never"
|
|
19
|
+
working_dir: "", restart_policy: "Never", supplemental_groups: []
|
|
20
20
|
)
|
|
21
21
|
raise ArgumentError, "containers need valid names and images" unless name && image
|
|
22
22
|
|
|
@@ -29,6 +29,7 @@ module OodCore::Job::Adapters::Kubernetes::Resources
|
|
|
29
29
|
@cpu = cpu.nil? ? "1" : cpu
|
|
30
30
|
@working_dir = working_dir.nil? ? "" : working_dir
|
|
31
31
|
@restart_policy = restart_policy.nil? ? "Never" : restart_policy
|
|
32
|
+
@supplemental_groups = supplemental_groups.nil? ? [] : supplemental_groups
|
|
32
33
|
end
|
|
33
34
|
|
|
34
35
|
def ==(other)
|
|
@@ -40,7 +41,8 @@ module OodCore::Job::Adapters::Kubernetes::Resources
|
|
|
40
41
|
memory == other.memory &&
|
|
41
42
|
cpu == other.cpu &&
|
|
42
43
|
working_dir == other.working_dir &&
|
|
43
|
-
restart_policy == other.restart_policy
|
|
44
|
+
restart_policy == other.restart_policy &&
|
|
45
|
+
supplemental_groups == other.supplemental_groups
|
|
44
46
|
end
|
|
45
47
|
|
|
46
48
|
end
|
|
@@ -19,7 +19,19 @@ spec:
|
|
|
19
19
|
securityContext:
|
|
20
20
|
runAsUser: <%= run_as_user %>
|
|
21
21
|
runAsGroup: <%= run_as_group %>
|
|
22
|
+
runAsNonRoot: true
|
|
23
|
+
<%- if spec.container.supplemental_groups.empty? -%>
|
|
24
|
+
supplementalGroups: []
|
|
25
|
+
<%- else -%>
|
|
26
|
+
supplementalGroups:
|
|
27
|
+
<%- spec.container.supplemental_groups.each do |supplemental_group| -%>
|
|
28
|
+
- "<%= supplemental_group %>"
|
|
29
|
+
<%- end -%>
|
|
30
|
+
<%- end -%>
|
|
22
31
|
fsGroup: <%= fs_group %>
|
|
32
|
+
hostNetwork: false
|
|
33
|
+
hostIPC: false
|
|
34
|
+
hostPID: false
|
|
23
35
|
containers:
|
|
24
36
|
- name: "<%= spec.container.name %>"
|
|
25
37
|
image: <%= spec.container.image %>
|
|
@@ -60,6 +72,12 @@ spec:
|
|
|
60
72
|
requests:
|
|
61
73
|
memory: "<%= spec.container.memory %>"
|
|
62
74
|
cpu: "<%= spec.container.cpu %>"
|
|
75
|
+
securityContext:
|
|
76
|
+
allowPrivilegeEscalation: false
|
|
77
|
+
capabilities:
|
|
78
|
+
drop:
|
|
79
|
+
- all
|
|
80
|
+
privileged: false
|
|
63
81
|
<%- unless spec.init_containers.nil? -%>
|
|
64
82
|
initContainers:
|
|
65
83
|
<%- spec.init_containers.each do |ctr| -%>
|
|
@@ -78,6 +96,12 @@ spec:
|
|
|
78
96
|
- name: <%= mount[:name] %>
|
|
79
97
|
mountPath: <%= mount[:destination_path] %>
|
|
80
98
|
<%- end # for each mount -%>
|
|
99
|
+
securityContext:
|
|
100
|
+
allowPrivilegeEscalation: false
|
|
101
|
+
capabilities:
|
|
102
|
+
drop:
|
|
103
|
+
- all
|
|
104
|
+
privileged: false
|
|
81
105
|
<%- end # init container loop -%>
|
|
82
106
|
<%- end # if init containers -%>
|
|
83
107
|
<%- unless (configmap.to_s.empty? && all_mounts.empty?) -%>
|
data/lib/ood_core/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ood_core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.15.
|
|
4
|
+
version: 0.15.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Franz
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: exe
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2021-
|
|
13
|
+
date: 2021-02-25 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: ood_support
|