feat(client-batch): This feature allows AWS Batch to support configuration of imagePullSecrets and allowPrivilegeEscalation for jobs running on EKS

Author: awstools

clients/client-batch/src/commands/DescribeJobDefinitionsCommand.ts

@@ -394,6 +394,11 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti
  * //           serviceAccountName: "STRING_VALUE",
  * //           hostNetwork: true || false,
  * //           dnsPolicy: "STRING_VALUE",
+ * //           imagePullSecrets: [ // ImagePullSecrets
+ * //             { // ImagePullSecret
+ * //               name: "STRING_VALUE", // required
+ * //             },
+ * //           ],
  * //           containers: [ // EksContainers
  * //             { // EksContainer
  * //               name: "STRING_VALUE",
@@ -426,6 +431,7 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti
  * //                 runAsUser: Number("long"),
  * //                 runAsGroup: Number("long"),
  * //                 privileged: true || false,
+ * //                 allowPrivilegeEscalation: true || false,
  * //                 readOnlyRootFilesystem: true || false,
  * //                 runAsNonRoot: true || false,
  * //               },
@@ -463,6 +469,7 @@ export interface DescribeJobDefinitionsCommandOutput extends DescribeJobDefiniti
  * //                 runAsUser: Number("long"),
  * //                 runAsGroup: Number("long"),
  * //                 privileged: true || false,
+ * //                 allowPrivilegeEscalation: true || false,
  * //                 readOnlyRootFilesystem: true || false,
  * //                 runAsNonRoot: true || false,
  * //               },

clients/client-batch/src/commands/DescribeJobsCommand.ts

@@ -405,6 +405,11 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad
  * //           serviceAccountName: "STRING_VALUE",
  * //           hostNetwork: true || false,
  * //           dnsPolicy: "STRING_VALUE",
+ * //           imagePullSecrets: [ // ImagePullSecrets
+ * //             { // ImagePullSecret
+ * //               name: "STRING_VALUE", // required
+ * //             },
+ * //           ],
  * //           containers: [ // EksContainerDetails
  * //             { // EksContainerDetail
  * //               name: "STRING_VALUE",
@@ -439,6 +444,7 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad
  * //                 runAsUser: Number("long"),
  * //                 runAsGroup: Number("long"),
  * //                 privileged: true || false,
+ * //                 allowPrivilegeEscalation: true || false,
  * //                 readOnlyRootFilesystem: true || false,
  * //                 runAsNonRoot: true || false,
  * //               },
@@ -478,6 +484,7 @@ export interface DescribeJobsCommandOutput extends DescribeJobsResponse, __Metad
  * //                 runAsUser: Number("long"),
  * //                 runAsGroup: Number("long"),
  * //                 privileged: true || false,
+ * //                 allowPrivilegeEscalation: true || false,
  * //                 readOnlyRootFilesystem: true || false,
  * //                 runAsNonRoot: true || false,
  * //               },

clients/client-batch/src/commands/RegisterJobDefinitionCommand.ts

@@ -337,6 +337,11 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio
  *       serviceAccountName: "STRING_VALUE",
  *       hostNetwork: true || false,
  *       dnsPolicy: "STRING_VALUE",
+ *       imagePullSecrets: [ // ImagePullSecrets
+ *         { // ImagePullSecret
+ *           name: "STRING_VALUE", // required
+ *         },
+ *       ],
  *       containers: [ // EksContainers
  *         { // EksContainer
  *           name: "STRING_VALUE",
@@ -369,6 +374,7 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio
  *             runAsUser: Number("long"),
  *             runAsGroup: Number("long"),
  *             privileged: true || false,
+ *             allowPrivilegeEscalation: true || false,
  *             readOnlyRootFilesystem: true || false,
  *             runAsNonRoot: true || false,
  *           },
@@ -406,6 +412,7 @@ export interface RegisterJobDefinitionCommandOutput extends RegisterJobDefinitio
  *             runAsUser: Number("long"),
  *             runAsGroup: Number("long"),
  *             privileged: true || false,
+ *             allowPrivilegeEscalation: true || false,
  *             readOnlyRootFilesystem: true || false,
  *             runAsNonRoot: true || false,
  *           },

clients/client-batch/src/models/models_0.ts

@@ -3353,6 +3353,12 @@ export interface EksContainerSecurityContext {
    */
   privileged?: boolean;
 
+  /**
+   * <p>Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process. The default value is <code>false</code>.</p>
+   * @public
+   */
+  allowPrivilegeEscalation?: boolean;
+
   /**
    * <p>When this parameter is <code>true</code>, the container is given read-only access to its
    *    root file system. The default value is <code>false</code>. This parameter maps to
@@ -3497,6 +3503,18 @@ export interface EksContainer {
   securityContext?: EksContainerSecurityContext;
 }
 
+/**
+ * <p>References a Kubernetes configuration resource that holds a list of secrets. These secrets help to gain access to pull an image from a private registry.</p>
+ * @public
+ */
+export interface ImagePullSecret {
+  /**
+   * <p>Provides a unique identifier for the <code>ImagePullSecret</code>. This object is required when <code>EksPodProperties$imagePullSecrets</code> is used.</p>
+   * @public
+   */
+  name: string | undefined;
+}
+
 /**
  * <p>Describes and uniquely identifies Kubernetes resources. For example, the compute environment that
  *    a pod runs in or the <code>jobID</code> for a job running in the pod. For more information, see
@@ -3664,6 +3682,14 @@ export interface EksPodProperties {
    */
   dnsPolicy?: string;
 
+  /**
+   * <p>References a Kubernetes secret resource. This object must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.</p>
+   *          <p>
+   *             <code>ImagePullSecret$name</code> is required when this object is used.</p>
+   * @public
+   */
+  imagePullSecrets?: ImagePullSecret[];
+
   /**
    * <p>The properties of the container that's used on the Amazon EKS pod.</p>
    * @public
@@ -5103,6 +5129,12 @@ export interface EksPodPropertiesDetail {
    */
   dnsPolicy?: string;
 
+  /**
+   * <p>Displays the reference pointer to the Kubernetes secret resource.</p>
+   * @public
+   */
+  imagePullSecrets?: ImagePullSecret[];
+
   /**
    * <p>The properties of the container that's used on the Amazon EKS pod.</p>
    * @public

clients/client-batch/src/protocols/Aws_restJson1.ts

@@ -127,6 +127,7 @@ import {
   FairsharePolicy,
   FargatePlatformConfiguration,
   Host,
+  ImagePullSecret,
   JobDefinition,
   JobDependency,
   JobDetail,
@@ -1403,6 +1404,10 @@ const se_FairsharePolicy = (input: FairsharePolicy, context: __SerdeContext): an
 
 // se_Host omitted.
 
+// se_ImagePullSecret omitted.
+
+// se_ImagePullSecrets omitted.
+
 // se_JobDependency omitted.
 
 // se_JobDependencyList omitted.
@@ -1669,6 +1674,10 @@ const de_FairsharePolicy = (output: any, context: __SerdeContext): FairsharePoli
 
 // de_Host omitted.
 
+// de_ImagePullSecret omitted.
+
+// de_ImagePullSecrets omitted.
+
 /**
  * deserializeAws_restJson1JobDefinition
  */

codegen/sdk-codegen/aws-models/batch.json

@@ -4220,6 +4220,12 @@
             "smithy.api#documentation": "<p>When this parameter is <code>true</code>, the container is given elevated permissions on the\n   host container instance. The level of permissions are similar to the <code>root</code> user\n   permissions. The default value is <code>false</code>. This parameter maps to\n    <code>privileged</code> policy in the <a href=\"https://kubernetes.io/docs/concepts/security/pod-security-policy/#privileged\">Privileged\n    pod security policies</a> in the <i>Kubernetes documentation</i>.</p>"
           }
         },
+        "allowPrivilegeEscalation": {
+          "target": "com.amazonaws.batch#Boolean",
+          "traits": {
+            "smithy.api#documentation": "<p>Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process. The default value is <code>false</code>.</p>"
+          }
+        },
         "readOnlyRootFilesystem": {
           "target": "com.amazonaws.batch#Boolean",
           "traits": {
@@ -4362,6 +4368,12 @@
             "smithy.api#documentation": "<p>The DNS policy for the pod. The default value is <code>ClusterFirst</code>. If the\n    <code>hostNetwork</code> parameter is not specified, the default is\n    <code>ClusterFirstWithHostNet</code>. <code>ClusterFirst</code> indicates that any DNS query\n   that does not match the configured cluster domain suffix is forwarded to the upstream nameserver\n   inherited from the node. For more information, see <a href=\"https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy\">Pod's DNS policy</a> in the <i>Kubernetes documentation</i>.</p>\n         <p>Valid values: <code>Default</code> | <code>ClusterFirst</code> |\n    <code>ClusterFirstWithHostNet</code>\n         </p>"
           }
         },
+        "imagePullSecrets": {
+          "target": "com.amazonaws.batch#ImagePullSecrets",
+          "traits": {
+            "smithy.api#documentation": "<p>References a Kubernetes secret resource. This object must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.</p>\n         <p>\n            <code>ImagePullSecret$name</code> is required when this object is used.</p>"
+          }
+        },
         "containers": {
           "target": "com.amazonaws.batch#EksContainers",
           "traits": {
@@ -4418,6 +4430,12 @@
             "smithy.api#documentation": "<p>The DNS policy for the pod. The default value is <code>ClusterFirst</code>. If the\n    <code>hostNetwork</code> parameter is not specified, the default is\n    <code>ClusterFirstWithHostNet</code>. <code>ClusterFirst</code> indicates that any DNS query\n   that does not match the configured cluster domain suffix is forwarded to the upstream nameserver\n   inherited from the node. If no value was specified for <code>dnsPolicy</code> in the <a href=\"https://docs.aws.amazon.com/batch/latest/APIReference/API_RegisterJobDefinition.html\">RegisterJobDefinition</a> API operation, then no value will be returned for\n    <code>dnsPolicy</code> by either of <a href=\"https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobDefinitions.html\">DescribeJobDefinitions</a>\n   or <a href=\"https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobs.html\">DescribeJobs</a> API operations. The pod spec setting will contain either\n    <code>ClusterFirst</code> or <code>ClusterFirstWithHostNet</code>, depending on the value of the\n    <code>hostNetwork</code> parameter. For more information, see <a href=\"https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy\">Pod's DNS policy</a> in the <i>Kubernetes documentation</i>.</p>\n         <p>Valid values: <code>Default</code> | <code>ClusterFirst</code> |\n    <code>ClusterFirstWithHostNet</code>\n         </p>"
           }
         },
+        "imagePullSecrets": {
+          "target": "com.amazonaws.batch#ImagePullSecrets",
+          "traits": {
+            "smithy.api#documentation": "<p>Displays the reference pointer to the Kubernetes secret resource.</p>"
+          }
+        },
         "containers": {
           "target": "com.amazonaws.batch#EksContainerDetails",
           "traits": {
@@ -4732,6 +4750,28 @@
         }
       }
     },
+    "com.amazonaws.batch#ImagePullSecret": {
+      "type": "structure",
+      "members": {
+        "name": {
+          "target": "com.amazonaws.batch#String",
+          "traits": {
+            "smithy.api#clientOptional": {},
+            "smithy.api#documentation": "<p>Provides a unique identifier for the <code>ImagePullSecret</code>. This object is required when <code>EksPodProperties$imagePullSecrets</code> is used.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>References a Kubernetes configuration resource that holds a list of secrets. These secrets help to gain access to pull an image from a private registry.</p>"
+      }
+    },
+    "com.amazonaws.batch#ImagePullSecrets": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.batch#ImagePullSecret"
+      }
+    },
     "com.amazonaws.batch#ImageType": {
       "type": "string",
       "traits": {