new driver: kubernetes

Tested with `kind` and GKE.

Note: "nodes" shown in `docker buildx ls` are unrelated to Kubernetes "nodes".
Probably buildx should come up with an alternative term.

Usage:

  $ kind create cluster
  $ export KUBECONFIG="$(kind get kubeconfig-path --name="kind")"

  $ docker buildx create --driver kubernetes --driver-opt replicas=3 --use
  $ docker buildx build -t foo --load .

`--load` loads the image into the local Docker.

Driver opts:

  - `image=IMAGE` - Sets the container image to be used for running buildkit.
  - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace.
  - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1.
  - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Defaults to false.
  - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

driver/kubernetes/manifest/manifest.go

@@ -0,0 +1,90 @@
+package manifest
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type DeploymentOpt struct {
+	Namespace     string
+	Name          string
+	Image         string
+	Replicas      int
+	BuildkitFlags []string
+	Rootless      bool
+}
+
+const (
+	containerName = "buildkitd"
+)
+
+func NewDeployment(opt *DeploymentOpt) (*appsv1.Deployment, error) {
+	labels := map[string]string{
+		"app": opt.Name,
+	}
+	replicas := int32(opt.Replicas)
+	privileged := true
+	args := opt.BuildkitFlags
+	d := &appsv1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: appsv1.SchemeGroupVersion.String(),
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: opt.Namespace,
+			Name:      opt.Name,
+			Labels:    labels,
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: labels,
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: labels,
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  containerName,
+							Image: opt.Image,
+							Args:  args,
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: &privileged,
+							},
+							ReadinessProbe: &corev1.Probe{
+								Handler: corev1.Handler{
+									Exec: &corev1.ExecAction{
+										Command: []string{"buildctl", "debug", "workers"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	if opt.Rootless {
+		if err := toRootless(d); err != nil {
+			return nil, err
+		}
+	}
+	return d, nil
+}
+
+func toRootless(d *appsv1.Deployment) error {
+	d.Spec.Template.Spec.Containers[0].Args = append(
+		d.Spec.Template.Spec.Containers[0].Args,
+		"--oci-worker-no-process-sandbox",
+	)
+	d.Spec.Template.Spec.Containers[0].SecurityContext = nil
+	if d.Spec.Template.ObjectMeta.Annotations == nil {
+		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 2)
+	}
+	d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
+	d.Spec.Template.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+containerName] = "unconfined"
+	return nil
+}