Add --user flag for service create and update (#679)

* add run as user flag #678 * add run as user flag #678 * add changelog for pr 679 * review comments for pr 679 * review comments for pr 679 * add test for config changes * add user flag
knative · Feb 28, 2020 · 6617305 · 6617305
1 parent ab00cc2
commit 6617305
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 0 deletions.
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -59,6 +59,10 @@
 | 🧽
 | Add `--wait` and `--no-wait` to service delete operation. Change service delete to wait by default.   
 | https://github.com/knative/client/pull/682[#682]
+
+| 🎁
+| Add `--user` flag for specifying the user id to run the container
+| https://github.com/knative/client/pull/679[#679]
 |===
 
 ## v0.12.0 (2020-01-29)

diff --git a/docs/cmd/kn_service_create.md b/docs/cmd/kn_service_create.md
@@ -70,6 +70,7 @@ kn service create NAME --image IMAGE [flags]
       --requests-memory string    The requested memory (e.g., 64Mi).
       --revision-name string      The revision name to set. Must start with the service name and a dash as a prefix. Empty revision name will result in the server generating a name for the revision. Accepts golang templates, allowing {{.Service}} for the service name, {{.Generation}} for the generation, and {{.Random [n]}} for n random consonants. (default "{{.Service}}-{{.Random 5}}-{{.Generation}}")
       --service-account string    Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
+      --user int                  The user ID to run the container (e.g., 1001).
       --volume stringArray        Add a volume from a ConfigMap (prefix cm: or config-map:) or a Secret (prefix secret: or sc:). Example: --volume myvolume=cm:myconfigmap or --volume myvolume=secret:mysecret. You can use this flag multiple times. To unset a ConfigMap/Secret reference, append "-" to the name, e.g. --volume myvolume-.
       --wait-timeout int          Seconds to wait before giving up on waiting for service to be ready. (default 600)
 ```

diff --git a/docs/cmd/kn_service_update.md b/docs/cmd/kn_service_update.md
@@ -68,6 +68,7 @@ kn service update NAME [flags]
       --tag strings               Set tag (format: --tag revisionRef=tagName) where revisionRef can be a revision or '@latest' string representing latest ready revision. This flag can be specified multiple times.
       --traffic strings           Set traffic distribution (format: --traffic revisionRef=percent) where revisionRef can be a revision or a tag or '@latest' string representing latest ready revision. This flag can be given multiple times with percent summing up to 100%.
       --untag strings             Untag revision (format: --untag tagName). This flag can be specified multiple times.
+      --user int                  The user ID to run the container (e.g., 1001).
       --volume stringArray        Add a volume from a ConfigMap (prefix cm: or config-map:) or a Secret (prefix secret: or sc:). Example: --volume myvolume=cm:myconfigmap or --volume myvolume=secret:mysecret. You can use this flag multiple times. To unset a ConfigMap/Secret reference, append "-" to the name, e.g. --volume myvolume-.
       --wait-timeout int          Seconds to wait before giving up on waiting for service to be ready. (default 600)
 ```

diff --git a/pkg/kn/commands/service/configuration_edit_flags.go b/pkg/kn/commands/service/configuration_edit_flags.go
@@ -52,6 +52,7 @@ type ConfigurationEditFlags struct {
 	ServiceAccountName         string
 	ImagePullSecrets           string
 	Annotations                []string
+	User                       int64
 
 	// Preferences about how to do the action.
 	LockToDigest         bool
@@ -189,6 +190,8 @@ func (p *ConfigurationEditFlags) addSharedFlags(command *cobra.Command) {
 		"",
 		"Image pull secret to set. An empty argument (\"\") clears the pull secret. The referenced secret must exist in the service's namespace.")
 	p.markFlagMakesRevision("pull-secret")
+	command.Flags().Int64VarP(&p.User, "user", "", 0, "The user ID to run the container (e.g., 1001).")
+	p.markFlagMakesRevision("user")
 }
 
 // AddUpdateFlags adds the flags specific to update.
@@ -396,6 +399,10 @@ func (p *ConfigurationEditFlags) Apply(
 		servinglib.UpdateImagePullSecrets(template, p.ImagePullSecrets)
 	}
 
+	if cmd.Flags().Changed("user") {
+		servinglib.UpdateUser(template, p.User)
+	}
+
 	return nil
 }
 

diff --git a/pkg/kn/commands/service/create_mock_test.go b/pkg/kn/commands/service/create_mock_test.go
@@ -32,6 +32,7 @@ import (
 	"knative.dev/client/pkg/wait"
 
 	"knative.dev/client/pkg/util"
+	"knative.dev/pkg/ptr"
 )
 
 func TestServiceCreateImageMock(t *testing.T) {
@@ -385,6 +386,29 @@ func TestServiceCreateWithMountSecret(t *testing.T) {
 	r.Validate()
 }
 
+func TestServiceCreateWithUser(t *testing.T) {
+	client := knclient.NewMockKnServiceClient(t)
+
+	r := client.Recorder()
+	r.GetService("foo", nil, errors.NewNotFound(servingv1.Resource("service"), "foo"))
+
+	service := getService("foo")
+
+	template := &service.Spec.Template
+	template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		RunAsUser: ptr.Int64(int64(1001)),
+	}
+	template.Spec.Containers[0].Image = "gcr.io/foo/bar:baz"
+	template.Annotations = map[string]string{servinglib.UserImageAnnotationKey: "gcr.io/foo/bar:baz"}
+	r.CreateService(service, nil)
+
+	output, err := executeServiceCommand(client, "create", "foo", "--image", "gcr.io/foo/bar:baz", "--user", "1001", "--no-wait", "--revision-name=")
+	assert.NilError(t, err)
+	assert.Assert(t, util.ContainsAll(output, "created", "foo", "default"))
+
+	r.Validate()
+}
+
 func getService(name string) *servingv1.Service {
 	service := &servingv1.Service{
 		ObjectMeta: metav1.ObjectMeta{

diff --git a/pkg/kn/commands/service/service_update_mock_test.go b/pkg/kn/commands/service/service_update_mock_test.go
@@ -26,6 +26,7 @@ import (
 	clientserving "knative.dev/client/pkg/serving"
 	clientservingv1 "knative.dev/client/pkg/serving/v1"
 	"knative.dev/client/pkg/util"
+	"knative.dev/pkg/ptr"
 )
 
 func TestServiceUpdateEnvMock(t *testing.T) {
@@ -1427,3 +1428,48 @@ func TestServiceUpdateWithRemovingMount(t *testing.T) {
 
 	r.Validate()
 }
+
+func TestServiceUpdateUser(t *testing.T) {
+	client := clientservingv1.NewMockKnServiceClient(t)
+	svcName := "svc1"
+	newService := getService(svcName)
+	template := &newService.Spec.Template
+	template.Spec.Containers[0].Image = "gcr.io/foo/bar:baz"
+	template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		RunAsUser: ptr.Int64(int64(1001)),
+	}
+	template.ObjectMeta.Annotations = map[string]string{
+		clientserving.UserImageAnnotationKey: "gcr.io/foo/bar:baz",
+	}
+
+	updatedService := getService(svcName)
+	template = &updatedService.Spec.Template
+	template.Spec.Containers[0].Image = "gcr.io/foo/bar:baz"
+	template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		RunAsUser: ptr.Int64(int64(1002)),
+	}
+	template.ObjectMeta.Annotations = map[string]string{
+		clientserving.UserImageAnnotationKey: "gcr.io/foo/bar:baz",
+	}
+
+	r := client.Recorder()
+	recordServiceUpdateWithSuccess(r, svcName, newService, updatedService)
+
+	output, err := executeServiceCommand(client,
+		"create", svcName, "--image", "gcr.io/foo/bar:baz",
+		"--user", "1001",
+		"--no-wait", "--revision-name=",
+	)
+	assert.NilError(t, err)
+	assert.Assert(t, util.ContainsAll(output, "created", svcName, "default"))
+
+	output, err = executeServiceCommand(client,
+		"update", svcName,
+		"--user", "1002",
+		"--no-wait", "--revision-name=",
+	)
+	assert.NilError(t, err)
+	assert.Assert(t, util.ContainsAll(output, "updated", svcName, "default"))
+
+	r.Validate()
+}
diff --git a/pkg/serving/config_changes.go b/pkg/serving/config_changes.go
@@ -337,6 +337,18 @@ func UpdateContainerPort(template *servingv1.RevisionTemplateSpec, port int32) e
 	return nil
 }
 
+// UpdateRunAsUser updates container with a given user id
+func UpdateUser(template *servingv1.RevisionTemplateSpec, user int64) error {
+	container, err := ContainerOfRevisionTemplate(template)
+	if err != nil {
+		return err
+	}
+	container.SecurityContext = &corev1.SecurityContext{
+		RunAsUser: &user,
+	}
+	return nil
+}
+
 // UpdateResources updates resources as requested
 func UpdateResources(template *servingv1.RevisionTemplateSpec, requestsResourceList corev1.ResourceList, limitsResourceList corev1.ResourceList) error {
 	container, err := ContainerOfRevisionTemplate(template)

diff --git a/pkg/serving/config_changes_test.go b/pkg/serving/config_changes_test.go
@@ -300,6 +300,10 @@ func checkPortUpdate(t *testing.T, template *servingv1.RevisionTemplateSpec, por
 	}
 }
 
+func checkUserUpdate(t *testing.T, template *servingv1.RevisionTemplateSpec, user *int64) {
+	assert.DeepEqual(t, template.Spec.Containers[0].SecurityContext.RunAsUser, user)
+}
+
 func TestUpdateEnvVarsBoth(t *testing.T) {
 	template, container := getRevisionTemplate()
 	container.Env = []corev1.EnvVar{
@@ -649,6 +653,20 @@ func TestGenerateVolumeName(t *testing.T) {
 	}
 }
 
+func TestUpdateUser(t *testing.T) {
+	template, _ := getRevisionTemplate()
+	err := UpdateUser(template, int64(1001))
+	assert.NilError(t, err)
+
+	checkUserUpdate(t, template, ptr.Int64(int64(1001)))
+
+	template.Spec.Containers[0].SecurityContext.RunAsUser = ptr.Int64(int64(1002))
+	err = UpdateUser(template, int64(1002))
+	assert.NilError(t, err)
+
+	checkUserUpdate(t, template, ptr.Int64(int64(1002)))
+}
+
 //
 // =========================================================================================================