Kubernetes: Support allowPrivilegeEscalation and capabilities backend_options

[Aex12]

With this PR changes, we can finally run workflows in a restricted namespace in the Kubernetes backend.

Related to #5346. I wouldn't say it closes it, but improves the situation by providing means to run in a fully unprivileged namespace.

Also, I'm not sure how should I backport this to v3.13.x, I can't find the release/v3.13 branch

[qwerty287]

Thanks! Is it possible to use these options to do something dangerous that could compromise the agent? Right now I think you can use them in any pipeline. (Sorry I don't have k8s experience...)

Backport is not required.

[Aex12]

Thanks! Is it possible to use these options to do something dangerous that could compromise the agent? Right now I think you can use them in any pipeline. (Sorry I don't have k8s experience...)

Backport is not required.

@qwerty287 Currently, most kubernetes distributions run pods with allowPrivilegeEscalation: true and without dropping the default runtime Linux capabilities unless explicitly configured otherwise. That means workflows today already run with a relatively permissive security context in Kubernetes.

This PR allows users to tighten the workflow pod security context, so they can run in namespaces enforcing the Pod Security Standards.

That said, we could change this so that allowPrivilegeEscalation can only be set to false, this would allow workflow pods to run in restricted namespaces, while avoiding potential harmful behavior if on the future the default value is changed by some container runtime.

Regarding capabilities, while it's true it defaults to the the default set of capabilities granted by the container runtime, Kubernetes documents it can also be used to add non-default capabilities. We could restrict this even further by only allowing to drop capabilities.

I think this changes make sense, I'll submit a new commit with them.

[woodpecker-bot]

Surge PR preview deployment was removed

[Aex12]

Sorry @qwerty287, I forgot to relaunch the tests after my last commit. I just added a new commit that fixes the test.

SecurityContext is being set because privileged steps set the SecurityContext.Privileged field to true unless set otherwise. This was the existing behavior prior to my changes, which is preserved.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.24%. Comparing base (ff71578) to head (27f74e1).
⚠️ Report is 116 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6307      +/-   ##
==========================================
+ Coverage   34.17%   34.24%   +0.06%     
==========================================
  Files         426      426              
  Lines       28541    28562      +21     
==========================================
+ Hits         9755     9782      +27     
+ Misses      17898    17892       -6     
  Partials      888      888              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[qwerty287]

Code itself seems fine, @woodpecker-ci/maintainers could someone check out the k8s impact?

[xoxys]

@Aex12 can you rebase once again? Implementation looks good to me. @henkka @MartinSchmidt as you contributed multiple times to the K8s backend and seem to user it on a daily basis you might want to take a look as well :)

[Aex12]

Hi @xoxys, just rebased from main and squashed my commits.