Support podtemplates (#229)

* Support podtemplate workloads
Shopify · Sep 24, 2019 · fb2b354 · fb2b354
1 parent e60724d
commit fb2b354
Show file tree

Hide file tree

Showing 6 changed files with 152 additions and 1 deletion.
diff --git a/cmd/k8sruntime_util.go b/cmd/k8sruntime_util.go
@@ -35,6 +35,8 @@ func setContainers(resource Resource, containers []ContainerV1) Resource {
 	case *DeploymentV1Beta2:
 		t.Spec.Template.Spec.Containers = containers
 		return t.DeepCopyObject()
+	case *PodTemplateV1:
+		t.Template.Spec.Containers = containers
 	case *PodV1:
 		t.Spec.Containers = containers
 		return t.DeepCopyObject()
@@ -97,6 +99,10 @@ func disableDSA(resource Resource) Resource {
 		t.Spec.Template.Spec.ServiceAccountName = t.Spec.Template.Spec.DeprecatedServiceAccount
 		t.Spec.Template.Spec.DeprecatedServiceAccount = ""
 		return t.DeepCopyObject()
+	case *PodTemplateV1:
+		t.Template.Spec.ServiceAccountName = t.Template.Spec.DeprecatedServiceAccount
+		t.Template.Spec.DeprecatedServiceAccount = ""
+		return t.DeepCopyObject()
 	case *PodV1:
 		t.Spec.ServiceAccountName = t.Spec.DeprecatedServiceAccount
 		t.Spec.DeprecatedServiceAccount = ""
@@ -149,6 +155,9 @@ func setASAT(resource Resource, b bool) Resource {
 	case *DeploymentV1Beta2:
 		t.Spec.Template.Spec.AutomountServiceAccountToken = boolean
 		return t.DeepCopyObject()
+	case *PodTemplateV1:
+		t.Template.Spec.AutomountServiceAccountToken = boolean
+		return t.DeepCopyObject()
 	case *PodV1:
 		t.Spec.AutomountServiceAccountToken = boolean
 		return t.DeepCopyObject()
@@ -191,6 +200,9 @@ func setPodAnnotations(resource Resource, annotations map[string]string) Resourc
 	case *DeploymentV1Beta2:
 		kubeType.Spec.Template.ObjectMeta.SetAnnotations(annotations)
 		return kubeType.DeepCopyObject()
+	case *PodTemplateV1:
+		kubeType.Template.ObjectMeta.SetAnnotations(annotations)
+		return kubeType.DeepCopyObject()
 	case *PodV1:
 		kubeType.ObjectMeta.SetAnnotations(annotations)
 		return kubeType.DeepCopyObject()
@@ -225,6 +237,8 @@ func getContainers(resource Resource) (container []ContainerV1) {
 		container = kubeType.Spec.Template.Spec.Containers
 	case *DeploymentV1Beta2:
 		container = kubeType.Spec.Template.Spec.Containers
+	case *PodTemplateV1:
+		container = kubeType.Template.Spec.Containers
 	case *PodV1:
 		container = kubeType.Spec.Containers
 	case *ReplicationControllerV1:
@@ -265,6 +279,8 @@ func getPodAnnotations(resource Resource) (annotations map[string]string) {
 		annotations = kubeType.Spec.Template.ObjectMeta.GetAnnotations()
 	case *DeploymentV1Beta2:
 		annotations = kubeType.Spec.Template.ObjectMeta.GetAnnotations()
+	case *PodTemplateV1:
+		annotations = kubeType.Template.ObjectMeta.GetAnnotations()
 	case *PodV1:
 		annotations = kubeType.ObjectMeta.GetAnnotations()
 	case *ReplicationControllerV1:

diff --git a/cmd/types.go b/cmd/types.go
@@ -75,6 +75,9 @@ type PodListV1 = apiv1.PodList
 // PodSpecV1 is a type alias for the v1 version of the k8s API.
 type PodSpecV1 = apiv1.PodSpec
 
+// PodTemplateV1 is a type alias for the v1 version of the k8s API.
+type PodTemplateV1 = apiv1.PodTemplate
+
 // PodV1 is a type alias for the v1 version of the k8s API.
 type PodV1 = apiv1.Pod
 
@@ -130,7 +133,7 @@ func IsSupportedResourceType(obj Resource) bool {
 		*DeploymentExtensionsV1Beta1, *DeploymentV1, *DeploymentV1Beta1, *DeploymentV1Beta2, *DeploymentListV1,
 		*NamespaceListV1, *NamespaceV1,
 		*NetworkPolicyListV1, *NetworkPolicyV1,
-		*PodListV1, *PodV1,
+		*PodListV1, *PodV1, *PodTemplateV1,
 		*ReplicationControllerListV1, *ReplicationControllerV1,
 		*StatefulSetListV1, *StatefulSetV1, *StatefulSetV1Beta1:
 		return true

diff --git a/cmd/util.go b/cmd/util.go
@@ -80,6 +80,11 @@ func newResultFromResource(resource Resource) (*Result, error, error) {
 		result.Labels = kubeType.Spec.Template.Labels
 		result.Name = kubeType.Name
 		result.Namespace = kubeType.Namespace
+	case *PodTemplateV1:
+		result.KubeType = "podTemplate"
+		result.Labels = kubeType.Labels
+		result.Name = kubeType.Name
+		result.Namespace = kubeType.Namespace
 	case *PodV1:
 		result.KubeType = "pod"
 		result.Labels = kubeType.Labels
@@ -153,6 +158,10 @@ func newResultFromResourceWithServiceAccountInfo(resource Resource) (*Result, er
 		result.DSA = kubeType.Spec.Template.Spec.DeprecatedServiceAccount
 		result.SA = kubeType.Spec.Template.Spec.ServiceAccountName
 		result.Token = kubeType.Spec.Template.Spec.AutomountServiceAccountToken
+	case *PodTemplateV1:
+		result.DSA = kubeType.Template.Spec.DeprecatedServiceAccount
+		result.SA = kubeType.Template.Spec.ServiceAccountName
+		result.Token = kubeType.Template.Spec.AutomountServiceAccountToken
 	case *PodV1:
 		result.DSA = kubeType.Spec.DeprecatedServiceAccount
 		result.SA = kubeType.Spec.ServiceAccountName

diff --git a/fixtures/autofix-all-resources-fixed_v1.yml b/fixtures/autofix-all-resources-fixed_v1.yml
@@ -329,6 +329,54 @@ rules:
   - watch
   - list
 ---
+apiVersion: v1
+kind: PodTemplate
+metadata:
+  name: pod-template
+  labels:
+    name: pod-template
+    app: foobar
+    env: production
+template:
+  metadata:
+    name: pod-template
+    labels:
+      name: pod-template
+      app: foobar
+      env: production
+    annotations:
+      container.apparmor.security.beta.kubernetes.io/pod: runtime/default
+      seccomp.security.alpha.kubernetes.io/pod: runtime/default
+    creationTimestamp: null
+  spec:
+    restartPolicy: Never
+    containers:
+    - name: pod
+      image: gcr.io/production/foobar:tag
+      resources: {}
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - AUDIT_WRITE
+          - CHOWN
+          - DAC_OVERRIDE
+          - FOWNER
+          - FSETID
+          - KILL
+          - MKNOD
+          - NET_BIND_SERVICE
+          - NET_RAW
+          - SETFCAP
+          - SETGID
+          - SETPCAP
+          - SETUID
+          - SYS_CHROOT
+        privileged: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+    automountServiceAccountToken: false
+---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/fixtures/autofix-all-resources_v1.yml b/fixtures/autofix-all-resources_v1.yml
@@ -243,3 +243,24 @@ rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["pods"]
   verbs: ["get", "watch", "list"]
+---
+apiVersion: v1
+kind: PodTemplate
+metadata:
+  name: pod-template
+  labels:
+    name: pod-template
+    app: foobar
+    env: production
+template:
+  metadata:
+    name: pod-template
+    labels:
+      name: pod-template
+      app: foobar
+      env: production
+  spec:
+    restartPolicy: Never
+    containers:
+    - name: pod
+      image: gcr.io/production/foobar:tag
diff --git a/fixtures/podtemplate_v1.yml b/fixtures/podtemplate_v1.yml
@@ -0,0 +1,54 @@
+---
+apiVersion: v1
+kind: PodTemplate
+metadata:
+  name: pod-template
+  labels:
+    name: pod-template
+    app: foobar
+    env: production
+template:
+  metadata:
+    name: pod-template
+    labels:
+      name: pod-template
+      app: foobar
+      env: production
+    annotations:
+      container.apparmor.security.beta.kubernetes.io/pod: runtime/default
+      seccomp.security.alpha.kubernetes.io/pod: runtime/default
+    creationTimestamp: null
+  spec:
+    restartPolicy: Never
+    containers:
+    - name: pod
+      image: gcr.io/production/foobar:tag
+      resources:
+        requests:
+          cpu: 200m
+          memory: 512Mi
+        limits:
+          cpu: "1"
+          memory: 1Gi
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - AUDIT_WRITE
+          - CHOWN
+          - DAC_OVERRIDE
+          - FOWNER
+          - FSETID
+          - KILL
+          - MKNOD
+          - NET_BIND_SERVICE
+          - NET_RAW
+          - SETFCAP
+          - SETGID
+          - SETPCAP
+          - SETUID
+          - SYS_CHROOT
+        privileged: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+    automountServiceAccountToken: false