feat: set the seccomp profile for artifact gc to runtimedefault

Signed-off-by: Lukas Hankeln <lukashankeln@googlemail.com>
argoproj · May 11, 2024 · c2a5458 · c2a5458
1 parent a4fc318
commit c2a5458
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 34 deletions.
diff --git a/test/e2e/executor_plugins_test.go b/test/e2e/executor_plugins_test.go
@@ -39,8 +39,9 @@ func (s *ExecutorPluginsSuite) TestTemplateExecutor() {
 				spec := pod.Spec
 				assert.Equal(t, pointer.Bool(false), spec.AutomountServiceAccountToken)
 				assert.Equal(t, &apiv1.PodSecurityContext{
-					RunAsUser:    pointer.Int64(8737),
-					RunAsNonRoot: pointer.Bool(true),
+					RunAsUser:      pointer.Int64(8737),
+					RunAsNonRoot:   pointer.Bool(true),
+					SeccompProfile: &v1.SeccompProfile{Type: "RuntimeDefault"}
 				}, spec.SecurityContext)
 				if assert.Len(t, spec.Volumes, 4) {
 					assert.Contains(t, spec.Volumes[0].Name, "kube-api-access-")
@@ -72,6 +73,7 @@ func (s *ExecutorPluginsSuite) TestTemplateExecutor() {
 								AllowPrivilegeEscalation: pointer.Bool(false),
 								ReadOnlyRootFilesystem:   pointer.Bool(true),
 								Capabilities:             &apiv1.Capabilities{Drop: []apiv1.Capability{"ALL"}},
+								SeccompProfile: 		  &v1.SeccompProfile{Type: "RuntimeDefault"}
 							}, agent.SecurityContext)
 						}
 					}

diff --git a/workflow/common/security_context.go b/workflow/common/security_context.go
@@ -0,0 +1,26 @@
+package common
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
+)
+
+func MinimalCtrSC() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+		Privileged:               pointer.Bool(false),
+		RunAsNonRoot:             pointer.Bool(true),
+		RunAsUser:                pointer.Int64(8737),
+		ReadOnlyRootFilesystem:   pointer.Bool(true),
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
+	}
+}
+
+func MinimalPodSC() *corev1.PodSecurityContext {
+	return &corev1.PodSecurityContext{
+		RunAsNonRoot:   pointer.Bool(true),
+		RunAsUser:      pointer.Int64(8737),
+		SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"},
+	}
+}
diff --git a/workflow/controller/agent.go b/workflow/controller/agent.go
@@ -174,15 +174,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
 		Image:           woc.controller.executorImage(),
 		ImagePullPolicy: woc.controller.executorImagePullPolicy(),
 		Env:             envVars,
-		SecurityContext: &apiv1.SecurityContext{
-			Capabilities: &apiv1.Capabilities{
-				Drop: []apiv1.Capability{"ALL"},
-			},
-			RunAsNonRoot:             pointer.Bool(true),
-			RunAsUser:                pointer.Int64(8737),
-			ReadOnlyRootFilesystem:   pointer.Bool(true),
-			AllowPrivilegeEscalation: pointer.Bool(false),
-		},
+		SecurityContext: common.MinimalCtrSC(),
 		Resources: apiv1.ResourceRequirements{
 			Requests: map[apiv1.ResourceName]resource.Quantity{
 				"cpu":    resource.MustParse("10m"),
@@ -221,12 +213,9 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
 			},
 		},
 		Spec: apiv1.PodSpec{
-			RestartPolicy:    apiv1.RestartPolicyOnFailure,
-			ImagePullSecrets: woc.execWf.Spec.ImagePullSecrets,
-			SecurityContext: &apiv1.PodSecurityContext{
-				RunAsNonRoot: pointer.Bool(true),
-				RunAsUser:    pointer.Int64(8737),
-			},
+			RestartPolicy:                apiv1.RestartPolicyOnFailure,
+			ImagePullSecrets:             woc.execWf.Spec.ImagePullSecrets,
+			SecurityContext:              common.MinimalPodSC(),
 			ServiceAccountName:           serviceAccountName,
 			AutomountServiceAccountToken: pointer.Bool(false),
 			Volumes:                      podVolumes,

diff --git a/workflow/controller/artifact_gc.go b/workflow/controller/artifact_gc.go
@@ -431,7 +431,8 @@ func (woc *wfOperationCtx) createArtifactGCPod(ctx context.Context, strategy wfv
 			OwnerReferences: ownerReferences,
 		},
 		Spec: corev1.PodSpec{
-			Volumes: volumes,
+			Volumes:         volumes,
+			SecurityContext: common.MinimalPodSC(),
 			Containers: []corev1.Container{
 				{
 					Name:            common.MainContainerName,
@@ -444,14 +445,7 @@ func (woc *wfOperationCtx) createArtifactGCPod(ctx context.Context, strategy wfv
 					// if this pod is breached by an attacker we:
 					// * prevent installation of any new packages
 					// * modification of the file-system
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
-						Privileged:               pointer.Bool(false),
-						RunAsNonRoot:             pointer.Bool(true),
-						RunAsUser:                pointer.Int64(8737),
-						ReadOnlyRootFilesystem:   pointer.Bool(true),
-						AllowPrivilegeEscalation: pointer.Bool(false),
-					},
+					SecurityContext: common.MinimalCtrSC(),
 					// if this pod is breached by an attacker these limits prevent excessive CPU and memory usage
 					Resources: corev1.ResourceRequirements{
 						Limits: map[corev1.ResourceName]resource.Quantity{

diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go
@@ -685,14 +685,9 @@ func (woc *wfOperationCtx) newExecContainer(name string, tmpl *wfv1.Template) *a
 	}
 	// lock down resource pods by default
 	if tmpl.GetType() == wfv1.TemplateTypeResource && exec.SecurityContext == nil {
-		exec.SecurityContext = &apiv1.SecurityContext{
-			Capabilities: &apiv1.Capabilities{
-				Drop: []apiv1.Capability{"ALL"},
-			},
-			RunAsNonRoot:             pointer.Bool(true),
-			RunAsUser:                pointer.Int64(8737),
-			AllowPrivilegeEscalation: pointer.Bool(false),
-		}
+		exec.SecurityContext = common.MinimalCtrSC()
+		// TODO: always set RO FS once #10787 is fixed
+		exec.SecurityContext.ReadOnlyRootFilesystem = nil
 		if exec.Name != common.InitContainerName && exec.Name != common.WaitContainerName {
 			exec.SecurityContext.ReadOnlyRootFilesystem = pointer.Bool(true)
 		}