Example 1 with SecurityContext
use of io.fabric8.kubernetes.api.model.SecurityContext in project shinyproxy by openanalytics.
the class KubernetesBackend method doStartProxy.
@Override
protected void doStartProxy(KubernetesContainerProxy proxy) throws Exception {
String kubeNamespace = getProperty(PROPERTY_NAMESPACE, proxy.getApp(), DEFAULT_NAMESPACE);
String apiVersion = getProperty(PROPERTY_API_VERSION, proxy.getApp(), DEFAULT_API_VERSION);
String[] volumeStrings = Optional.ofNullable(proxy.getApp().getDockerVolumes()).orElse(new String[] {});
Volume[] volumes = new Volume[volumeStrings.length];
VolumeMount[] volumeMounts = new VolumeMount[volumeStrings.length];
for (int i = 0; i < volumeStrings.length; i++) {
String[] volume = volumeStrings[i].split(":");
String hostSource = volume[0];
String containerDest = volume[1];
String name = "shinyproxy-volume-" + i;
volumes[i] = new VolumeBuilder().withNewHostPath(hostSource).withName(name).build();
volumeMounts[i] = new VolumeMountBuilder().withMountPath(containerDest).withName(name).build();
}
List<EnvVar> envVars = new ArrayList<>();
for (String envString : buildEnv(proxy.getUserId(), proxy.getApp())) {
int idx = envString.indexOf('=');
if (idx == -1)
log.warn("Invalid environment variable: " + envString);
envVars.add(new EnvVar(envString.substring(0, idx), envString.substring(idx + 1), null));
}
SecurityContext security = new SecurityContextBuilder().withPrivileged(Boolean.valueOf(getProperty(PROPERTY_PRIVILEGED, proxy.getApp(), DEFAULT_PRIVILEGED))).build();
ContainerBuilder containerBuilder = new ContainerBuilder().withImage(proxy.getApp().getDockerImage()).withName("shiny-container").withPorts(new ContainerPortBuilder().withContainerPort(getAppPort(proxy)).build()).withVolumeMounts(volumeMounts).withSecurityContext(security).withEnv(envVars);
String imagePullPolicy = getProperty(PROPERTY_IMG_PULL_POLICY, proxy.getApp(), null);
if (imagePullPolicy != null)
containerBuilder.withImagePullPolicy(imagePullPolicy);
if (proxy.getApp().getDockerCmd() != null)
containerBuilder.withCommand(proxy.getApp().getDockerCmd());
String[] imagePullSecrets = getProperty(PROPERTY_IMG_PULL_SECRETS, proxy.getApp(), String[].class, null);
if (imagePullSecrets == null) {
String imagePullSecret = getProperty(PROPERTY_IMG_PULL_SECRET, proxy.getApp(), null);
if (imagePullSecret != null) {
imagePullSecrets = new String[] { imagePullSecret };
} else {
imagePullSecrets = new String[0];
}
}
Pod pod = kubeClient.pods().inNamespace(kubeNamespace).createNew().withApiVersion(apiVersion).withKind("Pod").withNewMetadata().withName(proxy.getName()).addToLabels("app", proxy.getName()).endMetadata().withNewSpec().withContainers(Collections.singletonList(containerBuilder.build())).withVolumes(volumes).withImagePullSecrets(Arrays.asList(imagePullSecrets).stream().map(LocalObjectReference::new).collect(Collectors.toList())).endSpec().done();
proxy.setPod(kubeClient.resource(pod).waitUntilReady(600, TimeUnit.SECONDS));
if (!isUseInternalNetwork()) {
// If SP runs outside the cluster, a NodePort service is needed to access the pod externally.
Service service = kubeClient.services().inNamespace(kubeNamespace).createNew().withApiVersion(apiVersion).withKind("Service").withNewMetadata().withName(proxy.getName() + "service").endMetadata().withNewSpec().addToSelector("app", proxy.getName()).withType("NodePort").withPorts(new ServicePortBuilder().withPort(getAppPort(proxy)).build()).endSpec().done();
// Retry, because if this is done too fast, an 'endpoint not found' exception will be thrown.
Utils.retry(i -> {
try {
proxy.setService(kubeClient.resource(service).waitUntilReady(600, TimeUnit.SECONDS));
} catch (Exception e) {
return false;
}
return true;
}, 5, 1000);
releasePort(proxy.getPort());
proxy.setPort(proxy.getService().getSpec().getPorts().get(0).getNodePort());
}
}
Also used :
Pod(io.fabric8.kubernetes.api.model.Pod)
ArrayList(java.util.ArrayList)
Service(io.fabric8.kubernetes.api.model.Service)
VolumeBuilder(io.fabric8.kubernetes.api.model.VolumeBuilder)
VolumeMountBuilder(io.fabric8.kubernetes.api.model.VolumeMountBuilder)
IOException(java.io.IOException)
ShinyProxyException(eu.openanalytics.shinyproxy.ShinyProxyException)
SecurityContextBuilder(io.fabric8.kubernetes.api.model.SecurityContextBuilder)
ContainerBuilder(io.fabric8.kubernetes.api.model.ContainerBuilder)
Volume(io.fabric8.kubernetes.api.model.Volume)
ServicePortBuilder(io.fabric8.kubernetes.api.model.ServicePortBuilder)
ContainerPortBuilder(io.fabric8.kubernetes.api.model.ContainerPortBuilder)
LocalObjectReference(io.fabric8.kubernetes.api.model.LocalObjectReference)
SecurityContext(io.fabric8.kubernetes.api.model.SecurityContext)
VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount)
EnvVar(io.fabric8.kubernetes.api.model.EnvVar)
Example 2 with SecurityContext
use of io.fabric8.kubernetes.api.model.SecurityContext in project strimzi by strimzi.
the class AbstractModel method createStatefulSet.
protected StatefulSet createStatefulSet(List<ContainerPort> ports, List<Volume> volumes, List<PersistentVolumeClaim> volumeClaims, List<VolumeMount> volumeMounts, Probe livenessProbe, Probe readinessProbe, boolean isOpenShift) {
Map<String, String> annotations = new HashMap<>();
annotations.put(String.format("%s/%s", ClusterController.STRIMZI_CLUSTER_CONTROLLER_DOMAIN, Storage.DELETE_CLAIM_FIELD), String.valueOf(storage.isDeleteClaim()));
Container container = new ContainerBuilder().withName(name).withImage(getImage()).withEnv(getEnvVars()).withVolumeMounts(volumeMounts).withPorts(ports).withLivenessProbe(livenessProbe).withReadinessProbe(readinessProbe).build();
List<Container> initContainers = new ArrayList<>();
PodSecurityContext securityContext = null;
// there is an hack on volume mounting which needs an "init-container"
if ((this.storage.type() == Storage.StorageType.PERSISTENT_CLAIM) && !isOpenShift) {
String chown = String.format("chown -R %d:%d %s", AbstractModel.VOLUME_MOUNT_HACK_GROUPID, AbstractModel.VOLUME_MOUNT_HACK_GROUPID, volumeMounts.get(0).getMountPath());
Container initContainer = new ContainerBuilder().withName(AbstractModel.VOLUME_MOUNT_HACK_NAME).withImage(AbstractModel.VOLUME_MOUNT_HACK_IMAGE).withVolumeMounts(volumeMounts.get(0)).withCommand("sh", "-c", chown).build();
initContainers.add(initContainer);
securityContext = new PodSecurityContextBuilder().withFsGroup(AbstractModel.VOLUME_MOUNT_HACK_GROUPID).build();
}
StatefulSet statefulSet = new StatefulSetBuilder().withNewMetadata().withName(name).withLabels(getLabelsWithName()).withNamespace(namespace).withAnnotations(annotations).endMetadata().withNewSpec().withPodManagementPolicy("Parallel").withUpdateStrategy(new StatefulSetUpdateStrategyBuilder().withType("OnDelete").build()).withSelector(new LabelSelectorBuilder().withMatchLabels(getLabelsWithName()).build()).withServiceName(headlessName).withReplicas(replicas).withNewTemplate().withNewMetadata().withName(name).withLabels(getLabelsWithName()).withAnnotations(getPrometheusAnnotations()).endMetadata().withNewSpec().withSecurityContext(securityContext).withInitContainers(initContainers).withContainers(container).withVolumes(volumes).endSpec().endTemplate().withVolumeClaimTemplates(volumeClaims).endSpec().build();
return statefulSet;
}
Also used :
LabelSelectorBuilder(io.fabric8.kubernetes.api.model.LabelSelectorBuilder)
HashMap(java.util.HashMap)
PodSecurityContext(io.fabric8.kubernetes.api.model.PodSecurityContext)
StatefulSetUpdateStrategyBuilder(io.fabric8.kubernetes.api.model.extensions.StatefulSetUpdateStrategyBuilder)
ArrayList(java.util.ArrayList)
StatefulSetBuilder(io.fabric8.kubernetes.api.model.extensions.StatefulSetBuilder)
Container(io.fabric8.kubernetes.api.model.Container)
ContainerBuilder(io.fabric8.kubernetes.api.model.ContainerBuilder)
PodSecurityContextBuilder(io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)
StatefulSet(io.fabric8.kubernetes.api.model.extensions.StatefulSet)
Aggregations
ContainerBuilder (io.fabric8.kubernetes.api.model.ContainerBuilder)2
ArrayList (java.util.ArrayList)2
ShinyProxyException (eu.openanalytics.shinyproxy.ShinyProxyException)1
Container (io.fabric8.kubernetes.api.model.Container)1
ContainerPortBuilder (io.fabric8.kubernetes.api.model.ContainerPortBuilder)1
EnvVar (io.fabric8.kubernetes.api.model.EnvVar)1
LabelSelectorBuilder (io.fabric8.kubernetes.api.model.LabelSelectorBuilder)1
LocalObjectReference (io.fabric8.kubernetes.api.model.LocalObjectReference)1
Pod (io.fabric8.kubernetes.api.model.Pod)1
PodSecurityContext (io.fabric8.kubernetes.api.model.PodSecurityContext)1
PodSecurityContextBuilder (io.fabric8.kubernetes.api.model.PodSecurityContextBuilder)1
SecurityContext (io.fabric8.kubernetes.api.model.SecurityContext)1
SecurityContextBuilder (io.fabric8.kubernetes.api.model.SecurityContextBuilder)1
Service (io.fabric8.kubernetes.api.model.Service)1
ServicePortBuilder (io.fabric8.kubernetes.api.model.ServicePortBuilder)1
Volume (io.fabric8.kubernetes.api.model.Volume)1
VolumeBuilder (io.fabric8.kubernetes.api.model.VolumeBuilder)1
VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)1
VolumeMountBuilder (io.fabric8.kubernetes.api.model.VolumeMountBuilder)1
StatefulSet (io.fabric8.kubernetes.api.model.extensions.StatefulSet)1
