diff --git a/pkg/functions/function.go b/pkg/functions/function.go index a3cf6dc72c..19d310d065 100644 --- a/pkg/functions/function.go +++ b/pkg/functions/function.go @@ -168,6 +168,8 @@ type RunSpec struct { // Env variables to be set Envs Envs `yaml:"envs,omitempty"` + // PodSecurityContext to be set for read and write permission + PodSecurityContext PodSecurityContext `yaml:"podSecurityContext, omitempty"` // StartTimeout specifies that this function should have a custom timeout // when starting. This setting is currently respected by the host runner, // with containerized docker runner and deployed Knative service integration diff --git a/pkg/functions/function_security.go b/pkg/functions/function_security.go new file mode 100644 index 0000000000..e516b0a39c --- /dev/null +++ b/pkg/functions/function_security.go @@ -0,0 +1,8 @@ +package functions + +type PodSecurityContext struct { + RunAsUser *int64 `yaml:"RunAsUser,omitempty"` + RunAsGroup *int64 `yaml:"RunAsGroup,omitempty"` + RunAsNonRoot *bool `yaml:"RunAsNonRoot,omitempty"` + FSGroup *int64 `yaml:"FSGroup,omitempty"` +} diff --git a/pkg/knative/deployer.go b/pkg/knative/deployer.go index 2f5510cbeb..0dbc7f1d1c 100644 --- a/pkg/knative/deployer.go +++ b/pkg/knative/deployer.go @@ -461,7 +461,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator, daprInstalled for k, v := range annotations { revisionAnnotations[k] = v } - + PodSecurityContext := getPodSecurityContext(f.Run) service := &v1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: f.Name, @@ -477,6 +477,7 @@ func generateNewService(f fn.Function, decorator DeployDecorator, daprInstalled }, Spec: v1.RevisionSpec{ PodSpec: corev1.PodSpec{ + SecurityContext: PodSecurityContext, Containers: []corev1.Container{ container, }, @@ -1108,3 +1109,13 @@ func setServiceOptions(template *v1.RevisionTemplateSpec, options fn.Options) er return servingclientlib.UpdateRevisionTemplateAnnotations(template, toUpdate, toRemove) } + +func getPodSecurityContext(RunSpec fn.RunSpec) *corev1.PodSecurityContext { + return &corev1.PodSecurityContext{ + RunAsUser: RunSpec.PodSecurityContext.RunAsUser, + RunAsGroup: RunSpec.PodSecurityContext.RunAsGroup, + RunAsNonRoot: RunSpec.PodSecurityContext.RunAsNonRoot, + FSGroup: RunSpec.PodSecurityContext.FSGroup, + } + +} diff --git a/schema/func_yaml-schema.json b/schema/func_yaml-schema.json index ff0fe8d00f..c102bca025 100644 --- a/schema/func_yaml-schema.json +++ b/schema/func_yaml-schema.json @@ -386,6 +386,26 @@ "type": "array", "description": "Env variables to be set" }, + "podSecurityContext": { + "properties": { + "RunAsUser": { + "pattern": "^[-._a-zA-Z][-._a-zA-Z0-9]*$", + "type": "integer" + }, + "RunAsGroup": { + "type": "integer" + }, + "RunAsNonRoot":{ + "type": "boolean" + }, + "FSGroup":{ + "type":"integer" + } + }, + "additionalProperties": false, + "type": "object" + + }, "startTimeout": { "type": "integer", "description": "StartTimeout specifies that this function should have a custom timeout\nwhen starting. This setting is currently respected by the host runner,\nwith containerized docker runner and deployed Knative service integration\nin development."