As user I want to set `runAsGroup` property in podSecurityContext

[Asinrus]

Hello, everyone

Problem description:
I work on K8S cluster with a gatekeeper. It expects pod has runAsGroup property. The gatekeeper doesn't allow Spring Cloud DataFlow to create a pod, because runAsGroup property is absence.

Spring Cloud DataFlow server generate and send to k8s this:

    "apiVersion": "v1",
    "kind": "Pod",
    "metadata":{},
    "spec":
    {
        "containers": [],
        "restartPolicy": "Never",
        "securityContext":
        {
            "fsGroup": 7,
            "runAsUser": 7,
            "supplementalGroups": [7]
        }
    }
}

The gatekeeper expects smth like this:

apiVersion: v1
kind: Pod
........
spec:
  containers:
  - env: []
    name: name
    securityContext:
      allowPrivilegeEscalation: false
      runAsGroup: 7
      runAsNonRoot: true
      runAsUser: 7
  securityContext:
    fsGroup: 7

my config map is:

apiVersion: v1
data:
  application.yaml: |
    logging:
      level:
        root: TRACE
        org.springframework.cloud.deployer.spi.kubernetes: TRACE
        io.fabric8.kubernetes.client: TRACE
        io.fabric8.kubernetes.api.model: TRACE
    spring:
      cloud:
        dataflow:
          task:
            platform:
              kubernetes:
                accounts:
                  default:
                    maximum-concurrent-tasks: 35
                    limits:
                      cpu: 500m
                      memory: 1024Mi
                    readinessProbeDelay: 120
                    livenessProbeDelay: 90
                    podSecurityContext:
                      allowPrivilegeEscalation: false
                      fsGroup: 7
                      runAsGroup: 7
                      runAsNonRoot: true
                      runAsUser: 7
                      supplementalGroups: [7]
          container:
            registry-configurations:
             default:.........
        task:
          closecontextEnabled: true
      datasource: ...........
      flyway:
        enabled: true
kind: ConfigMap

It looks like that runAsGroup property is needed to add to pod configuration, but I didn't find any workaround how to do it.
Can you help me?

Additional context:
Spring Cloud DataFlow version: 2.9.1

[onobc]

Hi @Asinrus ,

I don't think there is a current workaround as it needs to be added to the code where we process the properties and create the pod security context.

I am not sure when we will get to this though. Would you be willing to submit a PR?

[Asinrus]

Hi @onobc
Could you help me to submit a PR? I don't know how to name branch and make PR

[onobc]

Hi @Asinrus ,

Awesome!

I noticed that we needed some updates around "Contributing" and "Working w/ the Code". I did that.

Please read through CONTRIBUTING and Working With The Code.

To get started quickly, see development-strategy to get your branch setup to work in.

NOTE: This work will be done in the Spring Cloud Deployer Kubernetes repo - so adjust the references from Spring Cloud Dataflow accordingly as you go through the guides etc..

Follow this commit I did to add something similar spring-attic/spring-cloud-deployer-kubernetes@dc1f2be .

Reach out if you have any questions and I will guide you through the process. Thank you.

[corneil]

@Asinrus The example you present are properties that is added to deployed task and stream applications. You want Spring Cloud Data Flow server to have the podSecurityContext.runAsGroup property. That will be needed in the configmap for the data flow server and skipper server.
Which mechanism are you using to deploy?

[Asinrus]

Hi, @corneil
Thank for answer.
I need to clarify this point. I want to launch deployed task and stream applications in pods with podSecurityContext.runAsGroup property.

For deploying the Spring Cloud Data Flow server, I use a helm chart from Bitnami version 4.2.4 and I added the podSecurityContext in helm values.

[corneil]

Thanks @Asinrus we need to look into improving Spring Cloud Deployer Kubernetes for this case.

[onobc]

@corneil there is another "similar" request spring-attic/spring-cloud-deployer-kubernetes#512