feat: Drop-all capabilites by default. Fixes #142 (#181)

argoproj-labs · Aug 2, 2021 · 7b00de2 · 7b00de2
1 parent 78e1b32
commit 7b00de2
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 16 deletions.
diff --git a/api/v1alpha1/container_builder.go b/api/v1alpha1/container_builder.go
@@ -6,13 +6,14 @@ import corev1 "k8s.io/api/core/v1"
 type containerBuilder corev1.Container
 
 func (b containerBuilder) init(req getContainerReq) containerBuilder {
-	b.Name = CtrMain
+	b.Env = req.env
 	b.Image = req.runnerImage
 	b.ImagePullPolicy = req.imagePullPolicy
-	b.Env = req.env
-	b.VolumeMounts = []corev1.VolumeMount{req.volumeMount}
 	b.Lifecycle = req.lifecycle
+	b.Name = CtrMain
 	b.Resources = standardResources
+	b.SecurityContext = req.securityContext
+	b.VolumeMounts = []corev1.VolumeMount{req.volumeMount}
 	return b
 }
 

diff --git a/api/v1alpha1/container_supplier.go b/api/v1alpha1/container_supplier.go
@@ -9,6 +9,7 @@ type getContainerReq struct {
 	imagePullPolicy corev1.PullPolicy
 	lifecycle       *corev1.Lifecycle
 	runnerImage     string
+	securityContext *corev1.SecurityContext
 	volumeMount     corev1.VolumeMount
 }
 

diff --git a/api/v1alpha1/step_types.go b/api/v1alpha1/step_types.go
@@ -62,6 +62,11 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec {
 		{Name: EnvUpdateInterval, Value: req.UpdateInterval.String()},
 		{Name: "GODEBUG", Value: os.Getenv("GODEBUG")},
 	}
+	dropAll := &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"all"},
+		},
+	}
 	return corev1.PodSpec{
 		Volumes: append(in.Spec.Volumes, volume, corev1.Volume{
 			Name: "ssh",
@@ -93,7 +98,8 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec {
 					ReadOnly:  true,
 					MountPath: "/.ssh",
 				}),
-				Resources: standardResources,
+				Resources:       standardResources,
+				SecurityContext: dropAll,
 			},
 		},
 		Containers: []corev1.Container{
@@ -121,6 +127,7 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec {
 						},
 					},
 				},
+				SecurityContext: dropAll,
 			},
 			in.Spec.getType().getContainer(getContainerReq{
 				env:             []corev1.EnvVar{{Name: EnvBearerToken, Value: req.BearerToken}},
@@ -133,8 +140,9 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec {
 						},
 					},
 				},
-				runnerImage: req.RunnerImage,
-				volumeMount: corev1.VolumeMount{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"},
+				runnerImage:     req.RunnerImage,
+				securityContext: dropAll,
+				volumeMount:     corev1.VolumeMount{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"},
 			}),
 		},
 	}

diff --git a/api/v1alpha1/step_types_test.go b/api/v1alpha1/step_types_test.go
@@ -24,6 +24,11 @@ func TestStep_GetPodSpec(t *testing.T) {
 		{Name: "GODEBUG"},
 	}
 	mounts := []corev1.VolumeMount{{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"}}
+	dropAll := &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"all"},
+		},
+	}
 	tests := []struct {
 		name string
 		sepc Step
@@ -69,8 +74,9 @@ func TestStep_GetPodSpec(t *testing.T) {
 								HTTPGet: &corev1.HTTPGetAction{Path: "/ready", Port: intstr.FromInt(3569)},
 							},
 						},
-						Resources:    standardResources,
-						VolumeMounts: mounts,
+						Resources:       standardResources,
+						SecurityContext: dropAll,
+						VolumeMounts:    mounts,
 					},
 					{
 						Args: []string{"cat"},
@@ -83,8 +89,9 @@ func TestStep_GetPodSpec(t *testing.T) {
 						Lifecycle: &corev1.Lifecycle{PreStop: &corev1.Handler{
 							Exec: &corev1.ExecAction{Command: []string{"/var/run/argo-dataflow/prestop"}},
 						}},
-						Resources:    standardResources,
-						VolumeMounts: mounts,
+						Resources:       standardResources,
+						SecurityContext: dropAll,
+						VolumeMounts:    mounts,
 					},
 				},
 				InitContainers: []corev1.Container{
@@ -95,6 +102,7 @@ func TestStep_GetPodSpec(t *testing.T) {
 						ImagePullPolicy: corev1.PullAlways,
 						Name:            "init",
 						Resources:       standardResources,
+						SecurityContext: dropAll,
 						VolumeMounts: append(mounts, corev1.VolumeMount{
 							Name:      "ssh",
 							ReadOnly:  true,

diff --git a/examples/git/go.mod b/examples/git/go.mod
@@ -2,4 +2,4 @@ module github.com/argoproj-labs/argo-dataflow/examples/git
 
 go 1.16
 
-require github.com/argoproj-labs/argo-dataflow v0.0.76
+require github.com/argoproj-labs/argo-dataflow v0.0.78
diff --git a/examples/git/go.sum b/examples/git/go.sum
@@ -70,8 +70,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antonmedv/expr v1.8.9/go.mod h1:5qsM3oLGDND7sDmQGDXHkYfkjYMUX14qsgqmHhwGEk8=
-github.com/argoproj-labs/argo-dataflow v0.0.76 h1:6hTWw7P3HwC++iXMPniyoF0n6pb/J5TZ1P0/AypBCXY=
-github.com/argoproj-labs/argo-dataflow v0.0.76/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k=
+github.com/argoproj-labs/argo-dataflow v0.0.78 h1:SHiWGBhGttCZQ0f+wWrEHWZrFxNoQ5Y2PolPWgQ5Mlc=
+github.com/argoproj-labs/argo-dataflow v0.0.78/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=

diff --git a/runtimes/golang1-16/go.mod b/runtimes/golang1-16/go.mod
@@ -2,4 +2,4 @@ module github.com/argoproj-labs/argo-dataflow/runtimes/golang1-16
 
 go 1.16
 
-require github.com/argoproj-labs/argo-dataflow v0.0.76
+require github.com/argoproj-labs/argo-dataflow v0.0.78
diff --git a/runtimes/golang1-16/go.sum b/runtimes/golang1-16/go.sum
@@ -70,8 +70,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antonmedv/expr v1.8.9/go.mod h1:5qsM3oLGDND7sDmQGDXHkYfkjYMUX14qsgqmHhwGEk8=
-github.com/argoproj-labs/argo-dataflow v0.0.76 h1:6hTWw7P3HwC++iXMPniyoF0n6pb/J5TZ1P0/AypBCXY=
-github.com/argoproj-labs/argo-dataflow v0.0.76/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k=
+github.com/argoproj-labs/argo-dataflow v0.0.78 h1:SHiWGBhGttCZQ0f+wWrEHWZrFxNoQ5Y2PolPWgQ5Mlc=
+github.com/argoproj-labs/argo-dataflow v0.0.78/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=