Pb-6681 : added support for PSA for kdmp jobs #377
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- added make target called vendor to eliminate compilation issue Signed-off-by: Lalatendu Das <[email protected]>
lalat-das
requested review from
vsundarraj-px,
px-kesavan,
diptiranjanpx and
siva-portworx
|
OSS Scan Results:
Total issues: 191 |
|
License Evaluation Results:
Total License Issues: 17 |
prashanthpx
reviewed
May 17, 2024
lalat-das
force-pushed
the
pb-6681-psa-support-latest
branch
from
567add1 to
391d365
Compare
|
OSS Scan Results:
Total issues: 191 |
|
License Evaluation Results:
Total License Issues: 17 |
siva-portworx
approved these changes
May 21, 2024
| } | ||
|
|
||
| // WithpsaIsEnabled is job parameter. | ||
| func WithPodUserId(podUserId string) JobOption { |
There was a problem hiding this comment.
typo in the function name in comment.
| } | ||
|
|
||
| // WithpsaIsEnabled is job parameter. | ||
| func WithPodGroupId(PodGroupId string) JobOption { |
There was a problem hiding this comment.
typo in the function name in comment.
| PsaEnabledKey = "portworx.io/psa-enabled" | ||
| PsaUIDKey = "portworx.io/psa-uid" | ||
| PsaGIDKey = "portworx.io/psa-gid" | ||
| KdmpJobUid = "1013" |
There was a problem hiding this comment.
Please add comment for the purpose of the hardcoded UID/GUID
pkg/drivers/utils/utils.go
Outdated
| if podUserId != "" { | ||
| uid, err := strconv.ParseInt(podUserId, 10, 64) | ||
| if err != nil { | ||
| logrus.Errorf("failed to convert the UID to int: %v", err) |
There was a problem hiding this comment.
It is better to add some reference in the error message to associate for which dataexport of job, this covert error happen?
pkg/drivers/utils/utils.go
Outdated
| }, | ||
| } | ||
| } else { | ||
| return job, fmt.Errorf("recieved a nil job object to add security context") |
| // Add security Context only if the PSA is enabled. | ||
| if jobOption.PsaIsEnabled == "true" { | ||
| // The Job is intended to backup resources to NFS backuplocation | ||
| // and it doesn't need a specific JOB uid/gid since it will be sqaushed at NFS server |
pkg/drivers/utils/utils.go
Outdated
| "ALL", | ||
| }, | ||
| } | ||
| } else { |
There was a problem hiding this comment.
nit:We could avoid if and else and indentation if the code is
if job == nil {
return fmt.Errorf(...)
}
Rest of the code here..
- Added check and collected psa info from the namespace - if psa enabled then extracted the uid and gid used by the POD. here the pod is choosen based on whichever PVC is used by that pod - applied those uid and GID to all relevant job pod spec - this is done only if the PSA mode enforced with "restricted" value - for baseline and privilege mode no restriction on UID/GID and default setting of SElinux and secomp is adopted in the POD spec Signed-off-by: Lalatendu Das <[email protected]>
lalat-das
force-pushed
the
pb-6681-psa-support-latest
branch
from
391d365 to
337122f
Compare
|
OSS Scan Results:
Total issues: 191 |
|
License Evaluation Results:
Total License Issues: 17 |
|
closing the PR since the same PR with some more modification is raised against 2.7.2 now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: This enables the KDMP job pods to be added with SecurityContext setting required for it to run in a restricted PSA environment.
Which issue(s) this PR fixes (optional)
Closes # pb-6681
Special notes for your reviewer:
Cluster Wide PSA setting related code is not added yet.
Will update unit test result before EOD tomorrow