search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.85k stars 2.7k forks source link

Kubernetes Job does not inherit customization made to the Kubernetes deployment #41181

Open Dohbedoh opened 5 months ago

Dohbedoh commented 5 months ago

Description

Per the documentation of init tasks https://quarkus.io/guides/init-tasks#controlling-the-generated-job:

The image, image pull policy, service account, volumes, mounts and additional environment variables are inherited/copied from the deployment resource. Any customization to the original deployment resource (via configuration or extension) will also be reflected in the job.

However this does not seem to be the case.

Given the following config in application.yaml:

quarkus:
  container-image:
    registry: 123456789012.dkr.ecr.us-east-1.amazonaws.com
    group: ""
    name: myapp
    push: true
  kubernetes:
    namespace: myapp
    deployment-target: kubernetes
    deploy: true
    rbac:
      service-accounts:
        myapp:
          namespace: ${quarkus.kubernetes.namespace}
          use-as-default: true

When adding the following to the src/main/kubernetes/kubernetes.yml:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: my-app
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
      initContainers:
      - name: my-app
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault

The resulting job does not inherit the securityContext customization:

apiVersion: batch/v1
kind: Job
metadata:
  name: myapp-flyway-init
  namespace: myapp
spec:
  completionMode: NonIndexed
  template:
    metadata:
      namespace: myapp
    spec:
      containers:
        - env:
            - name: QUARKUS_INIT_AND_EXIT
              value: "true"
            - name: QUARKUS_FLYWAY_ENABLED
              value: "true"
          image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:1.0.0-SNAPSHOT
          name: myapp-flyway-init
      restartPolicy: OnFailure
      serviceAccountName: myapp

When trying to bring the customization to the Job itself in src/main/kubernetes/kubernetes.yml:

apiVersion: batch/v1
kind: Job
metadata:
  name: myapp-flyway-init
spec:
  template:
    spec:
      containers:
      - name: myapp-flyway-init
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault

The resulting yaml misses the spec.template.spec.container.[0].image and the spec.template.spec.restartPolicy:

apiVersion: batch/v1
kind: Job
metadata:
  name: myapp-flyway-init
  namespace: myapp
spec:
  template:
    metadata:
      namespace: myapp
    spec:
      containers:
        - env:
            - name: QUARKUS_FLYWAY_ENABLED
              value: "true"
            - name: QUARKUS_INIT_AND_EXIT
              value: "true"
          name: myapp-flyway-init
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      serviceAccountName: myapp

Implementation ideas

It does not seem possible to customize the securityContext of the generated Job. No configuration option for this. Not possible via src/main/kubernetes/kubernetes.yml because of the missing attributes when doing so. Customization made to the deployment via src/main/kubernetes/kubernetes.yml is not reflected to the job.

This could probably be improved. The job spec should maybe be reflecting the deployment spec, after all customization. Spec such as the pod securityContext or container securityContext make sense at least.

Also when customized via src/main/kubernetes/kubernetes.yml, the job generation should set thespec.template.spec.container.[0].imageand thespec.template.spec.restartPolicy` if not customized.. That maybe is a bug.

quarkus-bot[bot] commented 5 months ago

/cc @geoand (kubernetes), @iocanel (kubernetes)

geoand commented 5 months ago

Thanks for reporting the issue.

What version of Quarkus is this? If it's not the latest, can you check if the issue occurs with it?

Dohbedoh commented 5 months ago

With Quarkus 3.11.1. I can test with the most recent version..

Dohbedoh commented 5 months ago

Tested with 3.12.0.CR1. Same problems.

geoand commented 5 months ago

Thanks for checking

efuturetoday commented 2 months ago

I also facing this issue 😢