Merge pull request #20194 from umohnani8/kube-mode

Add DefaultMode to kube play
containers · Oct 2, 2023 · bbd9590 · bbd9590
2 parents 9560d36 + 17cebb3
commit bbd9590
Show file tree

Hide file tree

Showing 3 changed files with 252 additions and 27 deletions.
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
@@ -628,6 +628,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			if err != nil || mountPoint == "" {
 				return nil, nil, fmt.Errorf("unable to get mountpoint of volume %q: %w", vol.Name(), err)
 			}
+			defaultMode := v.DefaultMode
 			// Create files and add data to the volume mountpoint based on the Items in the volume
 			for k, v := range v.Items {
 				dataPath := filepath.Join(mountPoint, k)
@@ -640,6 +641,10 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 				if err != nil {
 					return nil, nil, err
 				}
+				// Set file permissions
+				if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
+					return nil, nil, err
+				}
 			}
 		}
 	}

diff --git a/pkg/specgen/generate/kube/volume.go b/pkg/specgen/generate/kube/volume.go
@@ -51,6 +51,9 @@ type KubeVolume struct {
 	// If the volume is optional, we can move on if it is not found
 	// Only used when there are volumes in a yaml that refer to a configmap
 	Optional bool
+	// DefaultMode sets the permissions on files created for the volume
+	// This is optional and defaults to 0644
+	DefaultMode int32
 }
 
 // Create a KubeVolume from an HostPathVolumeSource
@@ -135,9 +138,18 @@ func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource, mountLabel string) (*
 // VolumeFromSecret creates a new kube volume from a kube secret.
 func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error) {
 	kv := &KubeVolume{
-		Type:   KubeVolumeTypeSecret,
-		Source: secretSource.SecretName,
-		Items:  map[string][]byte{},
+		Type:        KubeVolumeTypeSecret,
+		Source:      secretSource.SecretName,
+		Items:       map[string][]byte{},
+		DefaultMode: v1.SecretVolumeSourceDefaultMode,
+	}
+	// Set the defaultMode if set in the kube yaml
+	validMode, err := isValidDefaultMode(secretSource.DefaultMode)
+	if err != nil {
+		return nil, fmt.Errorf("invalid DefaultMode for secret %q: %w", secretSource.SecretName, err)
+	}
+	if validMode {
+		kv.DefaultMode = *secretSource.DefaultMode
 	}
 
 	// returns a byte array of a kube secret data, meaning this needs to go into a string map
@@ -191,8 +203,9 @@ func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource
 func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error) {
 	var configMap *v1.ConfigMap
 	kv := &KubeVolume{
-		Type:  KubeVolumeTypeConfigMap,
-		Items: map[string][]byte{},
+		Type:        KubeVolumeTypeConfigMap,
+		Items:       map[string][]byte{},
+		DefaultMode: v1.ConfigMapVolumeSourceDefaultMode,
 	}
 	for _, cm := range configMaps {
 		if cm.Name == configMapVolumeSource.Name {
@@ -203,6 +216,14 @@ func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, config
 			break
 		}
 	}
+	// Set the defaultMode if set in the kube yaml
+	validMode, err := isValidDefaultMode(configMapVolumeSource.DefaultMode)
+	if err != nil {
+		return nil, fmt.Errorf("invalid DefaultMode for configMap %q: %w", configMapVolumeSource.Name, err)
+	}
+	if validMode {
+		kv.DefaultMode = *configMapVolumeSource.DefaultMode
+	}
 
 	if configMap == nil {
 		// If the volumeSource was optional, move on even if a matching configmap wasn't found
@@ -279,3 +300,14 @@ func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, secre
 
 	return volumes, nil
 }
+
+// isValidDefaultMode returns true if mode is between 0 and 0777
+func isValidDefaultMode(mode *int32) (bool, error) {
+	if mode == nil {
+		return false, nil
+	}
+	if *mode >= 0 && *mode <= int32(os.ModePerm) {
+		return true, nil
+	}
+	return false, errors.New("must be between 0000 and 0777")
+}