From 6dde005a8090f4840e6fa64188eb3f1c1ab0ab35 Mon Sep 17 00:00:00 2001 From: "Fabio M. Graetz, Ph.D" Date: Mon, 8 Jan 2024 18:29:16 +0100 Subject: [PATCH] Feat: Add option in K8s plugin config to inject user identity as pod label (#4637) * Add option in K8s plugin config to inject user identity into pod labels Signed-off-by: Fabio Graetz * Inject user identity into TaskExecutionMetadata labels Signed-off-by: Fabio Graetz * Add unit tests Signed-off-by: Fabio Graetz * Remove duplicate labels injection Signed-off-by: Fabio Graetz * Lint Signed-off-by: Fabio Graetz * Revert "Add option in K8s plugin config to inject user identity into pod labels" This reverts commit c42a4a02fd9ba30c2af7d2c42b1a7b5916140fb4. Signed-off-by: Fabio Graetz * Always inject user identity as pod label if known Signed-off-by: Fabio Graetz * Use hyphen instead of underscore in pod label Signed-off-by: Fabio Graetz * Update flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go Signed-off-by: Fabio M. Graetz, Ph.D. Signed-off-by: Fabio Graetz * Fix tests Signed-off-by: Fabio Graetz * Remove duplicate unit test logic Signed-off-by: Fabio Graetz --------- Signed-off-by: Fabio Graetz Signed-off-by: Fabio M. Graetz, Ph.D. Co-authored-by: Dan Rammer --- .../nodes/task/k8s/plugin_manager_test.go | 1 + .../nodes/task/k8s/task_exec_context.go | 17 +++++++++----- .../nodes/task/k8s/task_exec_context_test.go | 22 +++++++++++++++++++ 3 files changed, 34 insertions(+), 6 deletions(-) diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/plugin_manager_test.go b/flytepropeller/pkg/controller/nodes/task/k8s/plugin_manager_test.go index a96536e7ac..2c7fda0f6e 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/plugin_manager_test.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/plugin_manager_test.go @@ -200,6 +200,7 @@ func getMockTaskExecutionMetadata() pluginsCore.TaskExecutionMetadata { taskExecutionMetadata.On("GetAnnotations").Return(map[string]string{"aKey": "aVal"}) taskExecutionMetadata.On("GetLabels").Return(map[string]string{"lKey": "lVal"}) taskExecutionMetadata.On("GetOwnerReference").Return(metav1.OwnerReference{Name: "x"}) + taskExecutionMetadata.On("GetSecurityContext").Return(core.SecurityContext{RunAs: &core.Identity{}}) id := &pluginsCoreMock.TaskExecutionID{} id.On("GetGeneratedName").Return("test") diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go index 14984e3f97..17bbce5398 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go @@ -7,6 +7,8 @@ import ( "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils/secrets" ) +const executionIdentityVariable = "execution-identity" + // TaskExecutionContext provides a layer on top of core TaskExecutionContext with a custom TaskExecutionMetadata. type TaskExecutionContext struct { pluginsCore.TaskExecutionContext @@ -42,25 +44,28 @@ func (t TaskExecutionMetadata) GetAnnotations() map[string]string { } // newTaskExecutionMetadata creates a TaskExecutionMetadata with secrets serialized as annotations and a label added -// to trigger the flyte pod webhook +// to trigger the flyte pod webhook. If known, the execution identity is injected as a label. func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl *core.TaskTemplate) (TaskExecutionMetadata, error) { var err error secretsMap := make(map[string]string) - injectSecretsLabel := make(map[string]string) + injectLabels := make(map[string]string) if taskTmpl.SecurityContext != nil && len(taskTmpl.SecurityContext.Secrets) > 0 { secretsMap, err = secrets.MarshalSecretsToMapStrings(taskTmpl.SecurityContext.Secrets) if err != nil { return TaskExecutionMetadata{}, err } - injectSecretsLabel = map[string]string{ - secrets.PodLabel: secrets.PodLabelValue, - } + injectLabels[secrets.PodLabel] = secrets.PodLabelValue + } + + id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity + if len(id) > 0 { + injectLabels[executionIdentityVariable] = id } return TaskExecutionMetadata{ TaskExecutionMetadata: tCtx, annotations: utils.UnionMaps(tCtx.GetAnnotations(), secretsMap), - labels: utils.UnionMaps(tCtx.GetLabels(), injectSecretsLabel), + labels: utils.UnionMaps(tCtx.GetLabels(), injectLabels), }, nil } diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go index 8807236bff..bf9ca1eadb 100644 --- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go +++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go @@ -21,6 +21,7 @@ func Test_newTaskExecutionMetadata(t *testing.T) { "existingLabel": "existingLabelValue", } existingMetadata.OnGetLabels().Return(existingLabels) + existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{}}) actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{}) assert.NoError(t, err) @@ -40,6 +41,7 @@ func Test_newTaskExecutionMetadata(t *testing.T) { "existingLabel": "existingLabelValue", } existingMetadata.OnGetLabels().Return(existingLabels) + existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{}}) actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{ SecurityContext: &core.SecurityContext{ @@ -64,6 +66,26 @@ func Test_newTaskExecutionMetadata(t *testing.T) { "inject-flyte-secrets": "true", }, actual.GetLabels()) }) + + t.Run("Inject exec identity", func(t *testing.T) { + + existingMetadata := &mocks.TaskExecutionMetadata{} + existingAnnotations := map[string]string{} + existingMetadata.OnGetAnnotations().Return(existingAnnotations) + + existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{ExecutionIdentity: "test-exec-identity"}}) + + existingLabels := map[string]string{ + "existingLabel": "existingLabelValue", + } + existingMetadata.OnGetLabels().Return(existingLabels) + + actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{}) + assert.NoError(t, err) + + assert.Equal(t, 2, len(actual.GetLabels())) + assert.Equal(t, "test-exec-identity", actual.GetLabels()[executionIdentityVariable]) + }) } func Test_newTaskExecutionContext(t *testing.T) {