Pod security context2 (#5794)

* pod security context

* Simplify code

* Improve display of arrays

* Regenerate translations
Co-authored-by: NSebastian Florek <sebastian.florek@kubermatic.com>

src/app/backend/resource/pod/detail.go

@@ -56,6 +56,7 @@ type PodDetail struct {
 	ImagePullSecrets          []v1.LocalObjectReference                       `json:"imagePullSecrets,omitempty"`
 	EventList                 common.EventList                                `json:"eventList"`
 	PersistentvolumeclaimList persistentvolumeclaim.PersistentVolumeClaimList `json:"persistentVolumeClaimList"`
+	SecurityContext           *v1.PodSecurityContext                          `json:"securityContext"`
 
 	// List of non-critical errors, that occurred during resource retrieval.
 	Errors []error `json:"errors"`
@@ -280,6 +281,7 @@ func toPodDetail(pod *v1.Pod, metrics []metricapi.Metric, configMaps *v1.ConfigM
 		ImagePullSecrets:          pod.Spec.ImagePullSecrets,
 		EventList:                 *events,
 		PersistentvolumeclaimList: *persistentVolumeClaimList,
+		SecurityContext:           pod.Spec.SecurityContext,
 		Errors:                    nonCriticalErrors,
 	}
 }

src/app/frontend/common/components/chips/component.ts

@@ -58,7 +58,7 @@ const MAX_CHIP_VALUE_LENGTH = 63;
   changeDetection: ChangeDetectionStrategy.OnPush,
 })
 export class ChipsComponent implements OnInit, OnChanges {
-  @Input() map: StringMap | string[];
+  @Input() map: StringMap | string[] | number[];
   @Input() displayAll = false;
   keys: string[];
   isShowingAll = false;

src/app/frontend/common/components/container/component.ts

@@ -14,6 +14,8 @@
 
 import {Component, Input, OnChanges} from '@angular/core';
 import {ConfigMapKeyRef, Container, EnvVar, SecretKeyRef} from '@api/root.api';
+import * as _ from 'lodash';
+
 import {KdStateService} from '../../services/global/state';
 
 @Component({
@@ -55,4 +57,8 @@ export class ContainerCardComponent implements OnChanges {
   getEnvVarID(_: number, envVar: EnvVar): string {
     return `${envVar.name}-${envVar.value}`;
   }
+
+  hasSecurityContext(): boolean {
+    return this.container && !_.isEmpty(this.container.securityContext);
+  }
 }

src/app/frontend/common/components/container/template.html

@@ -130,16 +130,17 @@ limitations under the License.
       </div>
     </kd-property>
 
-    <div *ngIf="container?.securityContext"
+    <div *ngIf="hasSecurityContext()"
+         fxFlex="100"
          fxLayout="column">
       <div fxFlex
            class="security-context-header kd-muted"
            i18n>Security Context
       </div>
 
-      <kd-container-security-context [securityContext]="container.securityContext"
-                                     [initialized]="initialized">
-      </kd-container-security-context>
+      <kd-security-context [securityContext]="container.securityContext"
+                           [initialized]="initialized">
+      </kd-security-context>
     </div>
   </div>
 

src/app/frontend/common/components/module.ts

@@ -84,7 +84,7 @@ import {VolumeMountComponent} from './volumemount/component';
 import {PersistentVolumeClaimListComponent} from './resourcelist/persistentvolumeclaim/component';
 import {PluginListComponent} from './resourcelist/plugin/component';
 import {PodListComponent} from './resourcelist/pod/component';
-import {ContainerSecurityContextComponent} from './securitycontext/component';
+import {SecurityContextComponent} from './securitycontext/component';
 import {ReplicaSetListComponent} from './resourcelist/replicaset/component';
 import {ReplicationControllerListComponent} from './resourcelist/replicationcontroller/component';
 import {SecretListComponent} from './resourcelist/secret/component';
@@ -162,7 +162,7 @@ const components = [
   PropertyComponent,
   ProxyComponent,
   PodListComponent,
-  ContainerSecurityContextComponent,
+  SecurityContextComponent,
   PersistentVolumeListComponent,
   PersistentVolumeClaimListComponent,
   PolicyRuleListComponent,

src/app/frontend/common/components/securitycontext/component.ts

@@ -13,13 +13,19 @@
 // limitations under the License.
 
 import {Component, Input} from '@angular/core';
-import {ContainerSecurityContext} from '@api/root.api';
+import {ContainerSecurityContext, PodSecurityContext, StringMap, Sysctl} from '@api/root.api';
 
 @Component({
-  selector: 'kd-container-security-context',
+  selector: 'kd-security-context',
   templateUrl: './template.html',
 })
-export class ContainerSecurityContextComponent {
+export class SecurityContextComponent {
   @Input() initialized: boolean;
-  @Input() securityContext: ContainerSecurityContext;
+  @Input() securityContext: PodSecurityContext | ContainerSecurityContext;
+
+  toSysctlMap(sysctls: Sysctl[]): StringMap {
+    const stringMap: {[key: string]: string} = {};
+    sysctls.forEach(s => (stringMap[s.name] = s.value));
+    return stringMap;
+  }
 }

src/app/frontend/common/components/securitycontext/template.html

@@ -17,50 +17,35 @@ limitations under the License.
 <div content
      *ngIf="initialized"
      fxLayout="row wrap">
-  <kd-property *ngIf="securityContext?.capabilities?.add">
-    <div key
-         i18n>Added Capabilities</div>
-    <div value>
-      {{securityContext.capabilities.add}}
-    </div>
-  </kd-property>
-  <kd-property *ngIf="securityContext?.capabilities?.drop">
-    <div key
-         i18n>Dropped Capabilities</div>
-    <div value>
-      {{securityContext.capabilities.drop}}
-    </div>
-  </kd-property>
-  <kd-property *ngIf="securityContext?.privileged">
-    <div key
-         i18n>Privileged</div>
-    <div value>{{securityContext.privileged}}</div>
-  </kd-property>
-
+  <!--  Common Security Context Properties -->
   <kd-property *ngIf="securityContext?.seLinuxOptions?.user">
     <div key
-         i18n>SE Linux User</div>
+         i18n>SE Linux User
+    </div>
     <div value>
       {{securityContext.seLinuxOptions.user}}
     </div>
   </kd-property>
   <kd-property *ngIf="securityContext?.seLinuxOptions?.role">
     <div key
-         i18n>SE Linux Role</div>
+         i18n>SE Linux Role
+    </div>
     <div value>
       {{securityContext.seLinuxOptions.role}}
     </div>
   </kd-property>
   <kd-property *ngIf="securityContext?.seLinuxOptions?.type">
     <div key
-         i18n>SE Linux Type</div>
+         i18n>SE Linux Type
+    </div>
     <div value>
       {{securityContext.seLinuxOptions.type}}
     </div>
   </kd-property>
   <kd-property *ngIf="securityContext?.seLinuxOptions?.level">
     <div key
-         i18n>SE Linux Level</div>
+         i18n>SE Linux Level
+    </div>
     <div value>
       {{securityContext.seLinuxOptions.level}}
     </div>
@@ -68,70 +53,140 @@ limitations under the License.
 
   <kd-property *ngIf="securityContext?.windowsOptions?.gMSACredentialSpecName">
     <div key
-         i18n>Windows GMSA Credential Spec Name</div>
+         i18n>Windows GMSA Credential Spec Name
+    </div>
     <div value>
       {{securityContext.windowsOptions.gMSACredentialSpecName}}
     </div>
   </kd-property>
   <kd-property *ngIf="securityContext?.windowsOptions?.gMSACredentialSpec">
     <div key
-         i18n>Windows GMSA Credential Spec</div>
+         i18n>Windows GMSA Credential Spec
+    </div>
     <div value>
       {{securityContext.windowsOptions.gMSACredentialSpec}}
     </div>
   </kd-property>
   <kd-property *ngIf="securityContext?.windowsOptions?.runAsUserName">
     <div key
-         i18n>Windows Run as User</div>
+         i18n>Windows Run as User
+    </div>
     <div value>
       {{securityContext.windowsOptions.runAsUserName}}
     </div>
   </kd-property>
 
-  <kd-property *ngIf="securityContext?.runAsUser">
+  <kd-property *ngIf="securityContext?.runAsUser !== undefined">
     <div key
-         i18n>Run as User</div>
+         i18n>Run as User
+    </div>
     <div value>{{securityContext.runAsUser}}</div>
   </kd-property>
-  <kd-property *ngIf="securityContext?.runAsGroup">
+  <kd-property *ngIf="securityContext?.runAsGroup !== undefined">
     <div key
-         i18n>Run as Group</div>
+         i18n>Run as Group
+    </div>
     <div value>{{securityContext.runAsGroup}}</div>
   </kd-property>
-  <kd-property *ngIf="securityContext?.runAsNonRoot">
+  <kd-property *ngIf="securityContext?.runAsNonRoot !== undefined">
     <div key
-         i18n>Run as Non-Root</div>
+         i18n>Run as Non-Root
+    </div>
     <div value>{{securityContext.runAsNonRoot}}</div>
   </kd-property>
-  <kd-property *ngIf="securityContext?.readOnlyRootFilesystem">
+
+  <kd-property *ngIf="securityContext?.seccompProfile?.type">
+    <div key
+         i18n>Seccomp Profile Type
+    </div>
+    <div value>
+      {{securityContext.seccompProfile.type}}
+    </div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.seccompProfile?.localhostProfile">
+    <div key
+         i18n>Seccomp Localhost Profile
+    </div>
+    <div value>
+      {{securityContext.seccompProfile.localhostProfile}}
+    </div>
+  </kd-property>
+
+  <!--  Container Security Context Properties -->
+  <kd-property *ngIf="securityContext?.capabilities?.add">
+    <div key
+         i18n>Added Capabilities
+    </div>
+    <div value>
+      {{securityContext.capabilities.add}}
+    </div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.capabilities?.drop">
+    <div key
+         i18n>Dropped Capabilities
+    </div>
+    <div value>
+      {{securityContext.capabilities.drop}}
+    </div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.privileged !== undefined">
+    <div key
+         i18n>Privileged
+    </div>
+    <div value>{{securityContext.privileged}}</div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.readOnlyRootFilesystem !== undefined">
     <div key
-         i18n>Read Only Filesystem</div>
+         i18n>Read Only Filesystem
+    </div>
     <div value>{{securityContext.readOnlyRootFilesystem}}</div>
   </kd-property>
-  <kd-property *ngIf="securityContext?.allowPrivilegeEscalation">
+  <kd-property *ngIf="securityContext?.allowPrivilegeEscalation !== undefined">
     <div key
-         i18n>Allow Privilege Escalation</div>
+         i18n>Allow Privilege Escalation
+    </div>
     <div value>{{securityContext.allowPrivilegeEscalation}}</div>
   </kd-property>
   <kd-property *ngIf="securityContext?.procMount">
     <div key
-         i18n>Proc Mount</div>
+         i18n>Proc Mount
+    </div>
     <div value>{{securityContext.procMount}}</div>
   </kd-property>
 
-  <kd-property *ngIf="securityContext?.seccompProfile?.type">
+  <!-- Pod Security Context Properties -->
+  <kd-property *ngIf="securityContext?.fsGroup !== undefined">
     <div key
-         i18n>Seccomp Profile Type</div>
+         i18n>Filesystem Group
+    </div>
     <div value>
-      {{securityContext.seccompProfile.type}}
+      {{securityContext.fsGroup}}
     </div>
   </kd-property>
-  <kd-property *ngIf="securityContext?.seccompProfile?.localhostProfile">
+  <kd-property *ngIf="securityContext?.fsGroupChangePolicy">
     <div key
-         i18n>Seccomp Localhost Profile</div>
+         i18n>Filesystem Group Change Policy
+    </div>
     <div value>
-      {{securityContext.seccompProfile.localhostProfile}}
+      {{securityContext.fsGroupChangePolicy}}
+    </div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.supplementalGroups"
+               fxFlex="100">
+    <div key
+         i18n>Supplemental Groups
+    </div>
+    <div value>
+      <kd-chips [map]="securityContext.supplementalGroups"></kd-chips>
+    </div>
+  </kd-property>
+  <kd-property *ngIf="securityContext?.sysctls"
+               fxFlex="100">
+    <div key
+         i18n>Sysctls
+    </div>
+    <div value>
+      <kd-chips [map]="toSysctlMap(securityContext.sysctls)"></kd-chips>
     </div>
   </kd-property>
-
 </div>

src/app/frontend/resource/workloads/pod/detail/component.ts

@@ -17,6 +17,7 @@ import {ActivatedRoute} from '@angular/router';
 import {Container, PodDetail} from '@api/root.api';
 import {Subject} from 'rxjs';
 import {takeUntil} from 'rxjs/operators';
+import * as _ from 'lodash';
 
 import {ActionbarService, ResourceMeta} from '../../../../common/services/global/actionbar';
 import {NotificationsService} from '../../../../common/services/global/notifications';
@@ -27,6 +28,7 @@ import {NamespacedResourceService} from '../../../../common/services/resource/re
 @Component({
   selector: 'kd-pod-detail',
   templateUrl: './template.html',
+  styleUrls: ['style.scss'],
 })
 export class PodDetailComponent implements OnInit, OnDestroy {
   private readonly endpoint_ = EndpointManager.resource(Resource.pod, true);
@@ -69,6 +71,10 @@ export class PodDetailComponent implements OnInit, OnDestroy {
     this.actionbar_.onDetailsLeave.emit();
   }
 
+  hasSecurityContext(): boolean {
+    return this.pod && !_.isEmpty(this.pod.securityContext);
+  }
+
   getNodeHref(name: string): string {
     return this.kdState_.href('node', name);
   }

src/app/frontend/resource/workloads/pod/detail/style.scss

+// Copyright 2017 The Kubernetes Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+@import '../../../../variables';
+
+.security-context-header {
+  font-size: $subhead-font-size-base-lg;
+  margin: (2 * $baseline-grid) 0;
+}

src/app/frontend/typings/root.api.ts

@@ -642,6 +642,7 @@ export interface PodDetail extends ResourceDetail {
   imagePullSecrets: LocalObjectReference[];
   eventList: EventList;
   persistentVolumeClaimList: PersistentVolumeClaimList;
+  securityContext: PodSecurityContext;
 }
 
 export interface LocalObjectReference {
@@ -874,18 +875,33 @@ export interface Container {
   securityContext: ContainerSecurityContext;
 }
 
-export interface ContainerSecurityContext {
-  capabilities?: Capabilities;
-  privileged?: boolean;
+export interface ISecurityContext {
   seLinuxOptions?: SELinuxOptions;
   windowsOptions?: WindowsSecurityContextOptions;
   runAsUser?: number;
   runAsGroup?: number;
   runAsNonRoot?: boolean;
+  seccompProfile?: SeccompProfile;
+}
+
+export interface ContainerSecurityContext extends ISecurityContext {
+  capabilities?: Capabilities;
+  privileged?: boolean;
   readOnlyRootFilesystem?: boolean;
   allowPrivilegeEscalation?: boolean;
   procMount?: string; // ProcMountType;
-  seccompProfile?: SeccompProfile;
+}
+
+export interface PodSecurityContext extends ISecurityContext {
+  fsGroup?: number;
+  fsGroupChangePolicy?: string;
+  supplementalGroups?: number[];
+  sysctls?: Sysctl[];
+}
+
+export interface Sysctl {
+  name: string;
+  value: string;
 }
 
 export interface Capabilities {