|
| 1 | +# This manifest creates a Kubernetes Job that runs a single container within |
| 2 | +# a Kata-enabled pod. It is designed for one-off tasks and will not be |
| 3 | +# restarted automatically if it completes successfully. |
| 4 | + |
| 5 | +apiVersion: batch/v1 |
| 6 | +kind: Job |
| 7 | +metadata: |
| 8 | + # The name of the job. This must be unique within the namespace. |
| 9 | + name: clusterfuzz-kata-job-2 |
| 10 | +spec: |
| 11 | + template: |
| 12 | + metadata: |
| 13 | + labels: |
| 14 | + app.kubernetes.io/name: clusterfuzz-kata-job-2 |
| 15 | + spec: |
| 16 | + # Use the 'kata' runtime class to ensure the pod is run in a lightweight VM. |
| 17 | + runtimeClassName: kata |
| 18 | + # Use the host's network namespace. |
| 19 | + dnsPolicy: ClusterFirstWithHostNet |
| 20 | + containers: |
| 21 | + - name: clusterfuzz-worker-2 |
| 22 | + # Using a sample image from values.yaml. Replace with your desired image. |
| 23 | + image: "gcr.io/clusterfuzz-images/chromium/base:2d18693-202510291356" |
| 24 | + imagePullPolicy: IfNotPresent |
| 25 | + # The command and arguments to run in the container. |
| 26 | + # The entrypoint of the image is expected to handle these arguments. |
| 27 | + # For example, it might be a script that sources the environment variables |
| 28 | + # and then executes the main process. |
| 29 | + |
| 30 | + env: |
| 31 | + - name: IS_K8S_ENV |
| 32 | + value: "True" |
| 33 | + - name: DISABLE_MOUNTS |
| 34 | + value: "true" |
| 35 | + - name: HOST_UID |
| 36 | + value: "1337" |
| 37 | + # CLUSTERFUZZ_RELEASE would typically be set here. |
| 38 | + # - name: CLUSTERFUZZ_RELEASE |
| 39 | + # value: "your-release-version" |
| 40 | + - name: UNTRUSTED_WORKER |
| 41 | + value: "False" |
| 42 | + - name: UWORKER |
| 43 | + value: "True" |
| 44 | + - name: USE_GCLOUD_STORAGE_RSYNC |
| 45 | + value: "1" |
| 46 | + # This environment variable will be populated by the value you pass |
| 47 | + # when you create the job. See the command example below. |
| 48 | + - name: UWORKER_INPUT_DOWNLOAD_URL |
| 49 | + value: "https://storage.googleapis.com/clusterfuzz-uworker-input/2142e62f-5187-42a2-a241-6217a6b4dc64?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=gcs-signer%40cluster-fuzz.iam.gserviceaccount.com%2F20251212%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20251212T175657Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=427077d071975ea9c6cf3e9ef2fd7ca6db236bec80399fa21b170706af545d8f74fc8f3db178514b459d59601a1b139b35b0066918d740ca0d8e606d04bed4df9f4d6075d85d269e13980c56431afd2afed043b106fcef331cc635dd11a2713a9d5800c42e2ee7b43b15fa9d16cb9cde43b25fce8e85619820a0aadde93dbc0117c87db1c24f02301e63564aef139c9bdf1d1ea8b80d216fbb6d313846e71ceca32623210c99fb5148aee07e20611f9e0f2bace06d85d42b7599881bddd2247dd76338617d31305d2fbe47014109f98542be2beef8f8fbcd0276d28635237dd9e12b00d764b357eca95dd058e38e48c0012393e80bacc681a26489deb3c11d6a" |
| 50 | + lifecycle: |
| 51 | + postStart: |
| 52 | + exec: |
| 53 | + command: |
| 54 | + - /bin/sh |
| 55 | + - -c |
| 56 | + - "mkdir -p /tmp/.X11-unix && chmod 1777 /tmp/.X11-unix" |
| 57 | + # Mount a memory-backed directory for shared memory. |
| 58 | + # Grant the container elevated privileges within its own VM. |
| 59 | + securityContext: |
| 60 | + privileged: true |
| 61 | + capabilities: |
| 62 | + add: |
| 63 | + - SYS_ADMIN |
| 64 | + # Define resource requests and limits. |
| 65 | + resources: |
| 66 | + requests: |
| 67 | + cpu: "1" |
| 68 | + memory: "3.75Gi" |
| 69 | + limits: |
| 70 | + cpu: "1" |
| 71 | + memory: "3.75Gi" |
| 72 | + # The restart policy for the pod. 'Never' means the pod will not be |
| 73 | + # restarted once it has finished its execution. 'OnFailure' would |
| 74 | + # restart the container if it exits with a non-zero exit code. |
| 75 | + restartPolicy: Never |
| 76 | + # Define the shared memory volume. |
| 77 | + volumes: |
| 78 | + - name: dshm |
| 79 | + emptyDir: |
| 80 | + medium: Memory |
| 81 | + sizeLimit: 1.9G |
| 82 | + # Ensure the job is scheduled on a node with Kata Containers enabled. |
| 83 | + nodeSelector: |
| 84 | + cloud.google.com/gke-nodepool: kata-enabled-pool |
| 85 | + # Optional: defines how long the job can run for. |
| 86 | + # activeDeadlineSeconds: 600 |
| 87 | + # Optional: cleans up the job after it finishes. |
| 88 | + # ttlSecondsAfterFinished: 100 |
| 89 | + # The number of times a job should be retried before failing. |
| 90 | + backoffLimit: 0 |
0 commit comments