From 7b00de2535de42c55ca2acdbb646cbc38779ae2f Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Mon, 2 Aug 2021 16:04:34 -0700 Subject: [PATCH] feat: Drop-all capabilites by default. Fixes #142 (#181) --- api/v1alpha1/container_builder.go | 7 ++++--- api/v1alpha1/container_supplier.go | 1 + api/v1alpha1/step_types.go | 14 +++++++++++--- api/v1alpha1/step_types_test.go | 16 ++++++++++++---- examples/git/go.mod | 2 +- examples/git/go.sum | 4 ++-- runtimes/golang1-16/go.mod | 2 +- runtimes/golang1-16/go.sum | 4 ++-- 8 files changed, 34 insertions(+), 16 deletions(-) diff --git a/api/v1alpha1/container_builder.go b/api/v1alpha1/container_builder.go index 718abe0c..d5f3a4d5 100644 --- a/api/v1alpha1/container_builder.go +++ b/api/v1alpha1/container_builder.go @@ -6,13 +6,14 @@ import corev1 "k8s.io/api/core/v1" type containerBuilder corev1.Container func (b containerBuilder) init(req getContainerReq) containerBuilder { - b.Name = CtrMain + b.Env = req.env b.Image = req.runnerImage b.ImagePullPolicy = req.imagePullPolicy - b.Env = req.env - b.VolumeMounts = []corev1.VolumeMount{req.volumeMount} b.Lifecycle = req.lifecycle + b.Name = CtrMain b.Resources = standardResources + b.SecurityContext = req.securityContext + b.VolumeMounts = []corev1.VolumeMount{req.volumeMount} return b } diff --git a/api/v1alpha1/container_supplier.go b/api/v1alpha1/container_supplier.go index 21f4075d..e2cb8bc9 100644 --- a/api/v1alpha1/container_supplier.go +++ b/api/v1alpha1/container_supplier.go @@ -9,6 +9,7 @@ type getContainerReq struct { imagePullPolicy corev1.PullPolicy lifecycle *corev1.Lifecycle runnerImage string + securityContext *corev1.SecurityContext volumeMount corev1.VolumeMount } diff --git a/api/v1alpha1/step_types.go b/api/v1alpha1/step_types.go index bf13a359..a32947ef 100644 --- a/api/v1alpha1/step_types.go +++ b/api/v1alpha1/step_types.go @@ -62,6 +62,11 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec { {Name: EnvUpdateInterval, Value: req.UpdateInterval.String()}, {Name: "GODEBUG", Value: os.Getenv("GODEBUG")}, } + dropAll := &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + } return corev1.PodSpec{ Volumes: append(in.Spec.Volumes, volume, corev1.Volume{ Name: "ssh", @@ -93,7 +98,8 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec { ReadOnly: true, MountPath: "/.ssh", }), - Resources: standardResources, + Resources: standardResources, + SecurityContext: dropAll, }, }, Containers: []corev1.Container{ @@ -121,6 +127,7 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec { }, }, }, + SecurityContext: dropAll, }, in.Spec.getType().getContainer(getContainerReq{ env: []corev1.EnvVar{{Name: EnvBearerToken, Value: req.BearerToken}}, @@ -133,8 +140,9 @@ func (in Step) GetPodSpec(req GetPodSpecReq) corev1.PodSpec { }, }, }, - runnerImage: req.RunnerImage, - volumeMount: corev1.VolumeMount{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"}, + runnerImage: req.RunnerImage, + securityContext: dropAll, + volumeMount: corev1.VolumeMount{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"}, }), }, } diff --git a/api/v1alpha1/step_types_test.go b/api/v1alpha1/step_types_test.go index 4d0217ea..ff0c56e1 100644 --- a/api/v1alpha1/step_types_test.go +++ b/api/v1alpha1/step_types_test.go @@ -24,6 +24,11 @@ func TestStep_GetPodSpec(t *testing.T) { {Name: "GODEBUG"}, } mounts := []corev1.VolumeMount{{Name: "var-run-argo-dataflow", MountPath: "/var/run/argo-dataflow"}} + dropAll := &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + } tests := []struct { name string sepc Step @@ -69,8 +74,9 @@ func TestStep_GetPodSpec(t *testing.T) { HTTPGet: &corev1.HTTPGetAction{Path: "/ready", Port: intstr.FromInt(3569)}, }, }, - Resources: standardResources, - VolumeMounts: mounts, + Resources: standardResources, + SecurityContext: dropAll, + VolumeMounts: mounts, }, { Args: []string{"cat"}, @@ -83,8 +89,9 @@ func TestStep_GetPodSpec(t *testing.T) { Lifecycle: &corev1.Lifecycle{PreStop: &corev1.Handler{ Exec: &corev1.ExecAction{Command: []string{"/var/run/argo-dataflow/prestop"}}, }}, - Resources: standardResources, - VolumeMounts: mounts, + Resources: standardResources, + SecurityContext: dropAll, + VolumeMounts: mounts, }, }, InitContainers: []corev1.Container{ @@ -95,6 +102,7 @@ func TestStep_GetPodSpec(t *testing.T) { ImagePullPolicy: corev1.PullAlways, Name: "init", Resources: standardResources, + SecurityContext: dropAll, VolumeMounts: append(mounts, corev1.VolumeMount{ Name: "ssh", ReadOnly: true, diff --git a/examples/git/go.mod b/examples/git/go.mod index e6282a37..f5c33db7 100644 --- a/examples/git/go.mod +++ b/examples/git/go.mod @@ -2,4 +2,4 @@ module github.com/argoproj-labs/argo-dataflow/examples/git go 1.16 -require github.com/argoproj-labs/argo-dataflow v0.0.76 +require github.com/argoproj-labs/argo-dataflow v0.0.78 diff --git a/examples/git/go.sum b/examples/git/go.sum index 279fa347..feebd497 100644 --- a/examples/git/go.sum +++ b/examples/git/go.sum @@ -70,8 +70,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antonmedv/expr v1.8.9/go.mod h1:5qsM3oLGDND7sDmQGDXHkYfkjYMUX14qsgqmHhwGEk8= -github.com/argoproj-labs/argo-dataflow v0.0.76 h1:6hTWw7P3HwC++iXMPniyoF0n6pb/J5TZ1P0/AypBCXY= -github.com/argoproj-labs/argo-dataflow v0.0.76/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k= +github.com/argoproj-labs/argo-dataflow v0.0.78 h1:SHiWGBhGttCZQ0f+wWrEHWZrFxNoQ5Y2PolPWgQ5Mlc= +github.com/argoproj-labs/argo-dataflow v0.0.78/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= diff --git a/runtimes/golang1-16/go.mod b/runtimes/golang1-16/go.mod index 05a377fa..1292dd38 100644 --- a/runtimes/golang1-16/go.mod +++ b/runtimes/golang1-16/go.mod @@ -2,4 +2,4 @@ module github.com/argoproj-labs/argo-dataflow/runtimes/golang1-16 go 1.16 -require github.com/argoproj-labs/argo-dataflow v0.0.76 +require github.com/argoproj-labs/argo-dataflow v0.0.78 diff --git a/runtimes/golang1-16/go.sum b/runtimes/golang1-16/go.sum index 279fa347..feebd497 100644 --- a/runtimes/golang1-16/go.sum +++ b/runtimes/golang1-16/go.sum @@ -70,8 +70,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/antonmedv/expr v1.8.9/go.mod h1:5qsM3oLGDND7sDmQGDXHkYfkjYMUX14qsgqmHhwGEk8= -github.com/argoproj-labs/argo-dataflow v0.0.76 h1:6hTWw7P3HwC++iXMPniyoF0n6pb/J5TZ1P0/AypBCXY= -github.com/argoproj-labs/argo-dataflow v0.0.76/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k= +github.com/argoproj-labs/argo-dataflow v0.0.78 h1:SHiWGBhGttCZQ0f+wWrEHWZrFxNoQ5Y2PolPWgQ5Mlc= +github.com/argoproj-labs/argo-dataflow v0.0.78/go.mod h1:6sOyg5m15KMGh4Ssb6rrcUmFEObr+woieXD1JrWAk1k= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=