[Feature] Expose core.PodSecurityContext Sysctl options (#1360)

Author: ajanikow

.gitattributes

@@ -1,2 +1,3 @@
 pkg/generated/** linguist-generated
-**/zz_generated.deepcopy.go linguist-generated
+**/zz_generated.deepcopy.go linguist-generated
+pkg/api/** linguist-generated

CHANGELOG.md

@@ -4,6 +4,7 @@
 - (Feature) Backup lifetime - remove Backup once its lifetime has been reached
 - (Feature) Add Feature dependency
 - (Feature) Run secured containers as a feature
+- (Feature) Expose core.PodSecurityContext Sysctl options
 
 ## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14)
 - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode

docs/api/ArangoDeployment.V1.md

@@ -21,7 +21,10 @@
 package v1
 
 import (
+	"sort"
+
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
 	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
 	FSGroup            *int64  `json:"fsGroup,omitempty"`
 
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Map Value can be String or Int
+	// +doc/example: sysctls:
+	// +doc/example:   "kernel.shm_rmid_forced": "0"
+	// +doc/example:   "net.core.somaxconn": 1024
+	// +doc/example:   "kernel.msgmax": "65536"
+	// +doc/type: map[string]intstr.IntOrString
+	// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+	Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
+
 	// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
 	// +doc/type: core.SeccompProfile
 	// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil && len(s.Sysctls) > 0 {
+		var sysctls []core.Sysctl
+		for k, v := range s.Sysctls {
+			sysctls = append(sysctls, core.Sysctl{
+				Name:  k,
+				Value: v.String(),
+			})
+		}
+
+		sort.Slice(sysctls, func(i, j int) bool {
+			return sysctls[i].Name < sysctls[j].Name
+		})
+
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.Sysctls = sysctls
+	}
+
 	if secured {
 		if psc == nil {
 			psc = &core.PodSecurityContext{}

pkg/apis/deployment/v1/server_group_security_context_spec.go

@@ -21,10 +21,13 @@
 package v1
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				SupplementalGroups: []int64{1},
 			},
 		},
+		"pass sysctl opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				Sysctls: map[string]intstr.IntOrString{
+					"opt.1": intstr.FromInt(1),
+					"opt.2": intstr.FromString("2"),
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 	}
 }
 
+func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
+	testCases := map[string]struct {
+		sc      string
+		secured bool
+		want    *core.PodSecurityContext
+	}{
+		"pass sysctl opts": {
+			sc:      `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			var p ServerGroupSpecSecurityContext
+			require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
+
+			actual := p.NewPodSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
+		})
+	}
+}
+
 func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 	tests := map[string]struct {
 		sc      *ServerGroupSpecSecurityContext

pkg/apis/deployment/v1/server_group_security_context_spec_test.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

pkg/apis/deployment/v1/timeouts.go

@@ -21,7 +21,10 @@
 package v2alpha1
 
 import (
+	"sort"
+
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
 	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
 	FSGroup            *int64  `json:"fsGroup,omitempty"`
 
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Map Value can be String or Int
+	// +doc/example: sysctls:
+	// +doc/example:   "kernel.shm_rmid_forced": "0"
+	// +doc/example:   "net.core.somaxconn": 1024
+	// +doc/example:   "kernel.msgmax": "65536"
+	// +doc/type: map[string]intstr.IntOrString
+	// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+	Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
+
 	// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
 	// +doc/type: core.SeccompProfile
 	// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil && len(s.Sysctls) > 0 {
+		var sysctls []core.Sysctl
+		for k, v := range s.Sysctls {
+			sysctls = append(sysctls, core.Sysctl{
+				Name:  k,
+				Value: v.String(),
+			})
+		}
+
+		sort.Slice(sysctls, func(i, j int) bool {
+			return sysctls[i].Name < sysctls[j].Name
+		})
+
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.Sysctls = sysctls
+	}
+
 	if secured {
 		if psc == nil {
 			psc = &core.PodSecurityContext{}

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -21,10 +21,13 @@
 package v2alpha1
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	core "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/arangodb/kube-arangodb/pkg/util"
 )
@@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				SupplementalGroups: []int64{1},
 			},
 		},
+		"pass sysctl opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				Sysctls: map[string]intstr.IntOrString{
+					"opt.1": intstr.FromInt(1),
+					"opt.2": intstr.FromString("2"),
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 	}
 }
 
+func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
+	testCases := map[string]struct {
+		sc      string
+		secured bool
+		want    *core.PodSecurityContext
+	}{
+		"pass sysctl opts": {
+			sc:      `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
+			secured: false,
+			want: &core.PodSecurityContext{
+				Sysctls: []core.Sysctl{
+					{
+						Name:  "opt.1",
+						Value: "1",
+					},
+					{
+						Name:  "opt.2",
+						Value: "2",
+					},
+				},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			var p ServerGroupSpecSecurityContext
+			require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
+
+			actual := p.NewPodSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
+		})
+	}
+}
+
 func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 	tests := map[string]struct {
 		sc      *ServerGroupSpecSecurityContext

pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -35,7 +35,7 @@ type Timeouts struct {
 	// MaintenanceGracePeriod action timeout
 	MaintenanceGracePeriod *Timeout `json:"maintenanceGracePeriod,omitempty"`
 
-	// Actions keep list of the actions timeouts.
+	// Actions keep map of the actions timeouts.
 	// +doc/type: map[string]meta.Duration
 	// +doc/link: List of supported action names|/docs/generated/actions.md
 	// +doc/link: Definition of meta.Duration|https://github.com/kubernetes/apimachinery/blob/v0.26.6/pkg/apis/meta/v1/duration.go