ood_core 0.15.0 → 0.15.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 766b778b98f189dee73ff1cb70a2b0acf53d628a897288260a1b8cf7cb80c0c6
-  data.tar.gz: 03052a68c57de5fe76b795dfd76b66639520d3e9b055c324fbece05db71dd331
+  metadata.gz: fde32140cb148c6ea939a1d2308446e9144aad5c853fc8c41ea839beadedf03b
+  data.tar.gz: 5925bb0f8576864a3e37696d1c5b32a258edac5ebf78d07a6d509f4ec77c2339
 SHA512:
-  metadata.gz: c678069d0a37762a706a020c5a7ad7a7354ed3f1edb01fdd25b915065b50754d43c60df48c9ea3b773f3dc4ddb4e12604e9dda02a1ad30b0482e7ab050804181
-  data.tar.gz: 8416227140b6d761f6246f0cce50e41f4462f83b1913ad9e72b511685412810b7b2c7c9951f8c712b127572b421e8a57cd6cdb4dedb7cab9c242eba0d057ad45
+  metadata.gz: c9e1d0bd9e423af5289a445c12438875ae5d74b25295c8917209f19ec69b8e84bdb74b6f4ae2da3450a344398e8d96da4ae464498a38c9146d87fff1d1bbb2dd
+  data.tar.gz: b8daebdca0ed93b8d2ebb9089657efbb2b5a88e0b78b76607090b7c5befb96fbaa4a51e820b0236dc596d76c81b8110d1d8b53090f38abbfe01e00d411c96cd5

data/CHANGELOG.md

@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+## [0.15.1] - 2021-02-25
+### Fixed
+- kubernetes adapter uses the full module for helpers in [245](https://github.com/OSC/ood_core/pull/245).
+
+### Changed
+- kubernetes pods spawn with runAsNonRoot set to true in [247](https://github.com/OSC/ood_core/pull/247).
+- kubernetes pods can spawn with supplemental groups along with some other in security defaults in
+  [246](https://github.com/OSC/ood_core/pull/246).
+
 ## [0.15.0] - 2021-01-26
 ### Fixed
 - ccq adapter now accepts job names with spaces in [210](https://github.com/OSC/ood_core/pull/209)
@@ -273,7 +282,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Initial release!
 
-[Unreleased]: https://github.com/OSC/ood_core/compare/v0.15.0...HEAD
+[Unreleased]: https://github.com/OSC/ood_core/compare/v0.15.1...HEAD
+[0.15.1]: https://github.com/OSC/ood_core/compare/v0.15.0...v0.15.1
 [0.15.0]: https://github.com/OSC/ood_core/compare/v0.14.0...v0.15.0
 [0.14.0]: https://github.com/OSC/ood_core/compare/v0.13.0...v0.14.0
 [0.13.0]: https://github.com/OSC/ood_core/compare/v0.12.0...v0.13.0

data/lib/ood_core/job/adapters/kubernetes/batch.rb

@@ -27,7 +27,7 @@ class OodCore::Job::Adapters::Kubernetes::Batch
     @namespace_prefix = options.fetch(:namespace_prefix, '')
 
     @using_context = false
-    @helper = Helper.new
+    @helper = OodCore::Job::Adapters::Kubernetes::Helper.new
 
     begin
       make_kubectl_config(options)
@@ -173,7 +173,7 @@ class OodCore::Job::Adapters::Kubernetes::Batch
     id = generate_id(container.name)
     configmap = helper.configmap_from_native(native_data, id)
     init_containers = helper.init_ctrs_from_native(native_data[:init_containers])
-    spec = Kubernetes::Resources::PodSpec.new(container, init_containers: init_containers)
+    spec = OodCore::Job::Adapters::Kubernetes::Resources::PodSpec.new(container, init_containers: init_containers)
     all_mounts = native_data[:mounts].nil? ? mounts : mounts + native_data[:mounts]
 
     template = ERB.new(File.read(resource_file), nil, '-')

data/lib/ood_core/job/adapters/kubernetes/helper.rb

@@ -29,7 +29,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
 
     pod_hash.deep_merge!(service_hash)
     pod_hash.deep_merge!(secret_hash)
-    K8sJobInfo.new(pod_hash)
+    OodCore::Job::Adapters::Kubernetes::K8sJobInfo.new(pod_hash)
   rescue NoMethodError
     raise K8sDataError, "unable to read data correctly from json"
   end
@@ -40,7 +40,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
   #   the input container hash
   # @return  [OodCore::Job::Adapters::Kubernetes::Resources::Container]
   def container_from_native(container)
-    Kubernetes::Resources::Container.new(
+    OodCore::Job::Adapters::Kubernetes::Resources::Container.new(
       container[:name],
       container[:image],
       command: parse_command(container[:command]),
@@ -81,7 +81,7 @@ class OodCore::Job::Adapters::Kubernetes::Helper
     configmap = native.fetch(:configmap, nil)
     return nil if configmap.nil?
 
-    Kubernetes::Resources::ConfigMap.new(
+    OodCore::Job::Adapters::Kubernetes::Resources::ConfigMap.new(
       configmap_name(id),
       configmap[:filename],
       configmap[:data]

data/lib/ood_core/job/adapters/kubernetes/resources.rb

@@ -12,11 +12,11 @@ module OodCore::Job::Adapters::Kubernetes::Resources
 
   class Container
     attr_accessor :name, :image, :command, :port, :env, :memory, :cpu, :working_dir,
-                  :restart_policy
+                  :restart_policy, :supplemental_groups
 
     def initialize(
         name, image, command: [], port: nil, env: [], memory: "4Gi", cpu: "1",
-        working_dir: "", restart_policy: "Never"
+        working_dir: "", restart_policy: "Never", supplemental_groups: []
       )
       raise ArgumentError, "containers need valid names and images" unless name && image
 
@@ -29,6 +29,7 @@ module OodCore::Job::Adapters::Kubernetes::Resources
       @cpu = cpu.nil? ? "1" : cpu
       @working_dir = working_dir.nil? ? "" : working_dir
       @restart_policy = restart_policy.nil? ? "Never" : restart_policy
+      @supplemental_groups = supplemental_groups.nil? ? [] : supplemental_groups
     end
 
     def ==(other)
@@ -40,7 +41,8 @@ module OodCore::Job::Adapters::Kubernetes::Resources
         memory == other.memory &&
         cpu == other.cpu &&
         working_dir == other.working_dir &&
-        restart_policy == other.restart_policy
+        restart_policy == other.restart_policy &&
+        supplemental_groups == other.supplemental_groups
     end
 
   end

data/lib/ood_core/job/adapters/kubernetes/templates/pod.yml.erb

@@ -19,7 +19,19 @@ spec:
   securityContext:
     runAsUser: <%= run_as_user %>
     runAsGroup: <%= run_as_group %>
+    runAsNonRoot: true
+    <%- if spec.container.supplemental_groups.empty? -%>
+    supplementalGroups: []
+    <%- else -%>
+    supplementalGroups:
+    <%- spec.container.supplemental_groups.each do |supplemental_group| -%>
+    - "<%= supplemental_group %>"
+    <%- end -%>
+    <%- end -%>
     fsGroup: <%= fs_group %>
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
   containers:
   - name: "<%= spec.container.name %>"
     image: <%= spec.container.image %>
@@ -60,6 +72,12 @@ spec:
       requests:
         memory: "<%= spec.container.memory %>"
         cpu: "<%= spec.container.cpu %>"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - all
+      privileged: false
   <%- unless spec.init_containers.nil? -%>
   initContainers:
   <%- spec.init_containers.each do |ctr| -%>
@@ -78,6 +96,12 @@ spec:
     - name: <%= mount[:name] %>
       mountPath: <%= mount[:destination_path] %>
     <%- end # for each mount -%>
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - all
+      privileged: false
   <%- end # init container loop -%>
   <%- end # if init containers -%>
   <%- unless (configmap.to_s.empty? && all_mounts.empty?) -%>

data/lib/ood_core/version.rb

@@ -1,4 +1,4 @@
 module OodCore
   # The current version of {OodCore}
-  VERSION = "0.15.0"
+  VERSION = "0.15.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ood_core
 version: !ruby/object:Gem::Version
-  version: 0.15.0
+  version: 0.15.1
 platform: ruby
 authors:
 - Eric Franz
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-01-26 00:00:00.000000000 Z
+date: 2021-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ood_support