diff --git a/cue/components/cloud-worker.cue b/cue/components/cloud-worker.cue index 35b8edb..de7b8c4 100644 --- a/cue/components/cloud-worker.cue +++ b/cue/components/cloud-worker.cue @@ -75,6 +75,11 @@ template: { if parameter["readinessProbe"] != _|_ { readinessProbe: parameter.readinessProbe } + + if parameter["securityContext"] != _|_ { + securityContext: parameter.securityContext + } + } ] @@ -122,6 +127,27 @@ template: { // +usage=Args to run for the command args?: [...string] + // +usage=Specifies the SecurityContext of the container + securityContext?: { + allowPrivilegeEscalation?: bool + capabilities?: { + add?: [...string] + drop?: [...string] + } + privileged?: bool + // procMount currently ununsed + // procMount?: string + readOnlyRootFilesystem?: bool + runAsGroup?: int + runAsNonRoot?: bool + runAsUser?: int + // seLinuxOptions currently ununsed + // seLinuxOptions?: {...} + // seccompProfile currently ununsed + // seccompProfile?: {} + // windowsOptions never used + } + // +usage=Define arguments by using environment variables env?: [...{ // +usage=Environment variable name diff --git a/cue/components/edge-worker.cue b/cue/components/edge-worker.cue index 7bcbd3a..447da86 100644 --- a/cue/components/edge-worker.cue +++ b/cue/components/edge-worker.cue @@ -79,6 +79,10 @@ template: { if parameter["readinessProbe"] != _|_ { readinessProbe: parameter.readinessProbe } + + if parameter["securityContext"] != _|_ { + securityContext: parameter.securityContext + } } ] @@ -132,6 +136,27 @@ template: { // +usage=Args to run for the command args?: [...string] + // +usage=Specifies the SecurityContext of the container + securityContext?: { + allowPrivilegeEscalation?: bool + capabilities?: { + add?: [...string] + drop?: [...string] + } + privileged?: bool + // procMount currently ununsed + // procMount?: string + readOnlyRootFilesystem?: bool + runAsGroup?: int + runAsNonRoot?: bool + runAsUser?: int + // seLinuxOptions currently ununsed + // seLinuxOptions?: {...} + // seccompProfile currently ununsed + // seccompProfile?: {} + // windowsOptions never used + } + // +usage=Define arguments by using environment variables env?: [...{ // +usage=Environment variable name diff --git a/dev/manifests/applications/examples/edge-nats-box copy.yaml b/dev/manifests/applications/examples/edge-nats-box copy.yaml deleted file mode 100644 index d0558a2..0000000 --- a/dev/manifests/applications/examples/edge-nats-box copy.yaml +++ /dev/null @@ -1,64 +0,0 @@ ---- -apiVersion: core.oam.dev/v1beta1 -kind: Application -metadata: - name: nats-box - namespace: nats-box -spec: - components: - - name: nats-box - type: edge-worker - properties: - image: natsio/nats-box:latest - name: nats-box - runtime: - - mydevice - command: - - /bin/sh - - -c - - -- - args: - - "while true; do sleep 1; done;" - traits: - - type: edge-network-participant - properties: - networks: - - nats-box-network - - - type: application-network - name: nats-box-network - properties: - subjects: - - name: data-on-leaf - subjects: - - "data.>" - stream: mystream - - name: cloudsubjects - subjects: - - "cloud.>" - stream: cloudstream - streams: - - name: mystream - location: node - config: - storage: file - maxBytes: 30000000 - discard: old - - name: cloudstream - location: main - config: - storage: file - maxBytes: 30000000 - discard: old - - name: mystream_aggregate - location: main - link: - stream: mystream - config: - storage: file - discard: old ---- -apiVersion: v1 -kind: Namespace -metadata: - name: nats-box diff --git a/dev/manifests/applications/examples/edge-nats-box.yaml b/dev/manifests/applications/examples/edge-nats-box.yaml index d449d12..23a860f 100644 --- a/dev/manifests/applications/examples/edge-nats-box.yaml +++ b/dev/manifests/applications/examples/edge-nats-box.yaml @@ -10,6 +10,8 @@ spec: type: edge-worker properties: image: natsio/nats-box:latest + imagePullSecrets: + - mysecret name: nats-box runtime: - mydevice @@ -19,6 +21,15 @@ spec: - -- args: - "while true; do sleep 1; done;" + securityContext: + privileged: false + capabilities: + add: + - CAP_SYS_RAWIO + - CAP_NET_ADMIN + drop: + - CAP_KILL + traits: - type: edge-network-participant properties: diff --git a/manifests/vela-caps/components/cloud-worker.yaml b/manifests/vela-caps/components/cloud-worker.yaml index 32980b8..841e7c0 100644 --- a/manifests/vela-caps/components/cloud-worker.yaml +++ b/manifests/vela-caps/components/cloud-worker.yaml @@ -71,6 +71,11 @@ spec: if parameter["readinessProbe"] != _|_ { readinessProbe: parameter.readinessProbe } + + if parameter["securityContext"] != _|_ { + securityContext: parameter.securityContext + } + }, ] @@ -117,6 +122,27 @@ spec: // +usage=Args to run for the command args?: [...string] + // +usage=Specifies the SecurityContext of the container + securityContext?: { + allowPrivilegeEscalation?: bool + capabilities?: { + add?: [...string] + drop?: [...string] + } + privileged?: bool + // procMount currently ununsed + // procMount?: string + readOnlyRootFilesystem?: bool + runAsGroup?: int + runAsNonRoot?: bool + runAsUser?: int + // seLinuxOptions currently ununsed + // seLinuxOptions?: {...} + // seccompProfile currently ununsed + // seccompProfile?: {} + // windowsOptions never used + } + // +usage=Define arguments by using environment variables env?: [...{ // +usage=Environment variable name diff --git a/manifests/vela-caps/components/edge-worker.yaml b/manifests/vela-caps/components/edge-worker.yaml index 619680d..9cd9788 100644 --- a/manifests/vela-caps/components/edge-worker.yaml +++ b/manifests/vela-caps/components/edge-worker.yaml @@ -75,6 +75,10 @@ spec: if parameter["readinessProbe"] != _|_ { readinessProbe: parameter.readinessProbe } + + if parameter["securityContext"] != _|_ { + securityContext: parameter.securityContext + } }, ] @@ -127,6 +131,27 @@ spec: // +usage=Args to run for the command args?: [...string] + // +usage=Specifies the SecurityContext of the container + securityContext?: { + allowPrivilegeEscalation?: bool + capabilities?: { + add?: [...string] + drop?: [...string] + } + privileged?: bool + // procMount currently ununsed + // procMount?: string + readOnlyRootFilesystem?: bool + runAsGroup?: int + runAsNonRoot?: bool + runAsUser?: int + // seLinuxOptions currently ununsed + // seLinuxOptions?: {...} + // seccompProfile currently ununsed + // seccompProfile?: {} + // windowsOptions never used + } + // +usage=Define arguments by using environment variables env?: [...{ // +usage=Environment variable name