adding run-as-user flag in deploy-image plugin

Author: NikhilSharmaWe

pkg/plugins/golang/deploy-image/v1alpha1/api.go

@@ -69,6 +69,9 @@ type createAPISubcommand struct {
 
 	// imageContainerPort indicates the port that we should use in the scaffold
 	imageContainerPort string
+
+	// runAsUser indicates the user-id used for running the container
+	runAsUser string
 }
 
 func (p *createAPISubcommand) UpdateMetadata(cliMeta plugin.CLIMetadata, subcmdMeta *plugin.SubcommandMetadata) {
@@ -121,6 +124,7 @@ func (p *createAPISubcommand) BindFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&p.imageContainerPort, "image-container-port", "", "[Optional] if informed, "+
 		"will be used to scaffold the container port that should be used by container image in "+
 		"the controller and its spec in the API (CRD/CR). (i.e --image-container-port=\"11211\") ")
+	fs.StringVar(&p.runAsUser, "run-as-user", "", "User-Id for the container formed will be set to this value")
 
 	fs.BoolVar(&p.runMake, "make", true, "if true, run `make generate` after generating files")
 	fs.BoolVar(&p.runManifests, "manifests", true, "if true, run `make manifests` after generating files")
@@ -195,7 +199,8 @@ func (p *createAPISubcommand) Scaffold(fs machinery.Filesystem) error {
 		*p.resource,
 		p.image,
 		p.imageContainerCommand,
-		p.imageContainerPort)
+		p.imageContainerPort,
+		p.runAsUser)
 	scaffolder.InjectFS(fs)
 	err := scaffolder.Scaffold()
 	if err != nil {
@@ -215,6 +220,7 @@ func (p *createAPISubcommand) Scaffold(fs machinery.Filesystem) error {
 			Image:            p.image,
 			ContainerCommand: p.imageContainerCommand,
 			ContainerPort:    p.imageContainerPort,
+			RunAsUser:        p.runAsUser,
 		}
 		cfg.Resources = append(cfg.Resources, resourceData{
 			Group:   p.resource.GVK.Group,

pkg/plugins/golang/deploy-image/v1alpha1/plugin.go

@@ -67,4 +67,5 @@ type options struct {
 	Image            string `json:"image,omitempty"`
 	ContainerCommand string `json:"containerCommand,omitempty"`
 	ContainerPort    string `json:"containerPort,omitempty"`
+	RunAsUser        string `json:"runAsUser,omitempty"`
 }

pkg/plugins/golang/deploy-image/v1alpha1/scaffolds/api.go

@@ -40,11 +40,12 @@ var _ plugins.Scaffolder = &apiScaffolder{}
 // apiScaffolder contains configuration for generating scaffolding for Go type
 // representing the API and controller that implements the behavior for the API.
 type apiScaffolder struct {
-	config   config.Config
-	resource resource.Resource
-	image    string
-	command  string
-	port     string
+	config    config.Config
+	resource  resource.Resource
+	image     string
+	command   string
+	port      string
+	runAsUser string
 
 	// fs is the filesystem that will be used by the scaffolder
 	fs machinery.Filesystem
@@ -53,13 +54,14 @@ type apiScaffolder struct {
 // NewAPIScaffolder returns a new Scaffolder for declarative
 //nolint: lll
 func NewDeployImageScaffolder(config config.Config, res resource.Resource, image,
-	command, port string) plugins.Scaffolder {
+	command, port, runAsUser string) plugins.Scaffolder {
 	return &apiScaffolder{
-		config:   config,
-		resource: res,
-		image:    image,
-		command:  command,
-		port:     port,
+		config:    config,
+		resource:  res,
+		image:     image,
+		command:   command,
+		port:      port,
+		runAsUser: runAsUser,
 	}
 }
 
@@ -143,7 +145,6 @@ func (s *apiScaffolder) scafffoldControllerWithImage(scaffold *machinery.Scaffol
 		res = res[:len(res)-1]
 		err := util.InsertCode(controllerPath, `SecurityContext: &corev1.SecurityContext{
 							RunAsNonRoot:             &[]bool{true}[0],
-							RunAsUser: &[]int64{1000}[0],
 							AllowPrivilegeEscalation: &[]bool{false}[0],
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{
@@ -160,7 +161,6 @@ func (s *apiScaffolder) scafffoldControllerWithImage(scaffold *machinery.Scaffol
 	if len(s.port) > 0 {
 		err := util.InsertCode(controllerPath, `SecurityContext: &corev1.SecurityContext{
 							RunAsNonRoot:             &[]bool{true}[0],
-							RunAsUser: &[]int64{1000}[0],
 							AllowPrivilegeEscalation: &[]bool{false}[0],
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{
@@ -172,6 +172,14 @@ func (s *apiScaffolder) scafffoldControllerWithImage(scaffold *machinery.Scaffol
 			return fmt.Errorf("error scaffolding container port in the controller: %v", err)
 		}
 	}
+
+	if len(s.runAsUser) > 0 {
+		if err := util.InsertCode(controllerPath, `RunAsNonRoot:             &[]bool{true}[0],`,
+			fmt.Sprintf(runAsUserTemplate, s.runAsUser),
+		); err != nil {
+			return fmt.Errorf("error scaffolding user-id in the controller: %v", err)
+		}
+	}
 	return nil
 }
 
@@ -207,7 +215,6 @@ const containerTemplate = `Containers: []corev1.Container{{
 						// More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 						SecurityContext: &corev1.SecurityContext{
 							RunAsNonRoot:             &[]bool{true}[0],
-							RunAsUser: &[]int64{1000}[0],
 							AllowPrivilegeEscalation: &[]bool{false}[0],
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{
@@ -217,6 +224,9 @@ const containerTemplate = `Containers: []corev1.Container{{
 						},
 					}}`
 
+const runAsUserTemplate = `
+							RunAsUser: &[]int64{%s}[0],`
+
 const commandTemplate = `
 						Command:         []string{%s},`
 

test/e2e/deployimage/plugin_cluster_test.go

@@ -106,6 +106,7 @@ var _ = Describe("kubebuilder", func() {
 				"--image", "memcached:1.4.36-alpine",
 				"--image-container-port", "11211",
 				"--image-container-command", "memcached,-m=64,-o,modern,-v",
+				"--run-as-user", "1001",
 				"--make=false",
 				"--manifests=false",
 			)

test/testdata/generate.sh

@@ -109,7 +109,8 @@ function scaffold_test_project {
     $kb create api --group crew --version v1 --kind Admiral --controller=true --resource=true --namespaced=false --make=false
   elif [[ $project == "project-v3-with-deploy-image" ]]; then
       header_text 'Creating Memcached API with deploy-image plugin ...'
-      $kb create api --group example.com --version v1alpha1 --kind Memcached --image=memcached:1.4.36-alpine --image-container-command="memcached,-m=64,-o,modern,-v" --image-container-port="11211" --plugins="deploy-image/v1-alpha" --make=false --namespaced=false
+      $kb create api --group example.com --version v1alpha1 --kind Memcached --image=memcached:1.4.36-alpine --image-container-command="memcached,-m=64,-o,modern,-v" --image-container-port="11211" --run-as-user="1001" --plugins="deploy-image/v1-alpha" --make=false --namespaced=false
+      $kb create api --group example.com --version v1alpha1 --kind Busybox --image=busybox:1.28 --plugins="deploy-image/v1-alpha" --make=false --namespaced=false
       header_text 'Creating Memcached webhook ...'
       $kb create webhook --group example.com --version v1alpha1 --kind Memcached --programmatic-validation
   fi

testdata/project-v3-with-deploy-image/PROJECT

@@ -11,6 +11,13 @@ plugins:
         containerCommand: memcached,-m=64,-o,modern,-v
         containerPort: "11211"
         image: memcached:1.4.36-alpine
+        runAsUser: "1001"
+      version: v1alpha1
+    - domain: testproject.org
+      group: example.com
+      kind: Busybox
+      options:
+        image: busybox:1.28
       version: v1alpha1
 projectName: project-v3-with-deploy-image
 repo: sigs.k8s.io/kubebuilder/testdata/project-v3-with-deploy-image
@@ -26,4 +33,12 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: testproject.org
+  group: example.com
+  kind: Busybox
+  path: sigs.k8s.io/kubebuilder/testdata/project-v3-with-deploy-image/api/v1alpha1
+  version: v1alpha1
 version: "3"

testdata/project-v3-with-deploy-image/api/v1alpha1/busybox_types.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2022 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// BusyboxSpec defines the desired state of Busybox
+type BusyboxSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// Size defines the number of Busybox instances
+	Size int32 `json:"size,omitempty"`
+}
+
+// BusyboxStatus defines the observed state of Busybox
+type BusyboxStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// Busybox is the Schema for the busyboxes API
+type Busybox struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   BusyboxSpec   `json:"spec,omitempty"`
+	Status BusyboxStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// BusyboxList contains a list of Busybox
+type BusyboxList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Busybox `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Busybox{}, &BusyboxList{})
+}

testdata/project-v3-with-deploy-image/api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,50 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: busyboxes.example.com.testproject.org
+spec:
+  group: example.com.testproject.org
+  names:
+    kind: Busybox
+    listKind: BusyboxList
+    plural: busyboxes
+    singular: busybox
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Busybox is the Schema for the busyboxes API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BusyboxSpec defines the desired state of Busybox
+            properties:
+              size:
+                description: Size defines the number of Busybox instances
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: BusyboxStatus defines the observed state of Busybox
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}