From e8f2ebdbaf761a24171204f07d866d56eceb4187 Mon Sep 17 00:00:00 2001 From: Denys Vitali Date: Mon, 19 Sep 2022 20:24:15 +0200 Subject: [PATCH 1/5] feat(plugins/k8s): add security_context option for on-demand runners Certain locked down Kubernetes clusters require the users to run containers in an unprivileged mode, and enforce this by checking that the Pod SecurityContext settings do include stuff like `runAsNonRoot: true`. This commit adds support for custom SecurityContexts, so that unprivileged runners can be dynamically spawned. --- builtin/k8s/platform.go | 1 + builtin/k8s/task.go | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/builtin/k8s/platform.go b/builtin/k8s/platform.go index c0b7e10f6bc..6ff47e19269 100644 --- a/builtin/k8s/platform.go +++ b/builtin/k8s/platform.go @@ -1529,6 +1529,7 @@ type Container struct { // PodSecurityContext describes the security config for the Pod type PodSecurityContext struct { RunAsUser *int64 `hcl:"run_as_user"` + RunAsGroup *int64 `hcl:"run_as_group"` RunAsNonRoot *bool `hcl:"run_as_non_root"` FsGroup *int64 `hcl:"fs_group"` } diff --git a/builtin/k8s/task.go b/builtin/k8s/task.go index 3a56cf01aae..3487f19348a 100644 --- a/builtin/k8s/task.go +++ b/builtin/k8s/task.go @@ -88,6 +88,9 @@ type TaskLauncherConfig struct { // wordy because it's only for the WatchTask timing out waiting for the pod // its watching to start up before it attempts to stream its logs. WatchTaskStartupTimeoutSeconds int `hcl:"watchtask_startup_timeout_seconds,optional"` + + // The Pod Security Context to apply + SecurityContext *PodSecurityContext `hcl:"security_context,optional"` } func (p *TaskLauncher) Documentation() (*docs.Documentation, error) { @@ -379,6 +382,17 @@ func (p *TaskLauncher) StartTask( } } + var securityContext *corev1.PodSecurityContext = nil + podSc := p.config.SecurityContext + if podSc != nil { + securityContext = &corev1.PodSecurityContext{ + RunAsUser: podSc.RunAsUser, + RunAsGroup: podSc.RunAsGroup, + RunAsNonRoot: podSc.RunAsNonRoot, + FSGroup: podSc.FsGroup, + } + } + resourceRequirements := corev1.ResourceRequirements{ Limits: resourceLimits, Requests: resourceRequests, @@ -428,6 +442,7 @@ func (p *TaskLauncher) StartTask( Containers: []corev1.Container{container}, ImagePullSecrets: pullSecrets, RestartPolicy: corev1.RestartPolicyOnFailure, + SecurityContext: securityContext, }, }, }, From 6e4e33c2518d883d03e879d79988aca170fb2d53 Mon Sep 17 00:00:00 2001 From: Denys Vitali Date: Mon, 19 Sep 2022 20:30:15 +0200 Subject: [PATCH 2/5] chore: add changelog entry --- .changelog/3903.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/3903.txt diff --git a/.changelog/3903.txt b/.changelog/3903.txt new file mode 100644 index 00000000000..ced2c462bb6 --- /dev/null +++ b/.changelog/3903.txt @@ -0,0 +1,3 @@ +```release-note:improvement +plugins/k8s: Add `security_context` to the TaskLauncherConfig (on-demand runner configuration) +``` From 8d714495cd035392b71a54954996b9ac2c59721b Mon Sep 17 00:00:00 2001 From: Denys Vitali Date: Tue, 20 Sep 2022 10:25:29 +0200 Subject: [PATCH 3/5] fix(plugins/k8s): use block for security_context --- builtin/k8s/task.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/builtin/k8s/task.go b/builtin/k8s/task.go index 3487f19348a..c07d1b70f70 100644 --- a/builtin/k8s/task.go +++ b/builtin/k8s/task.go @@ -89,8 +89,8 @@ type TaskLauncherConfig struct { // its watching to start up before it attempts to stream its logs. WatchTaskStartupTimeoutSeconds int `hcl:"watchtask_startup_timeout_seconds,optional"` - // The Pod Security Context to apply - SecurityContext *PodSecurityContext `hcl:"security_context,optional"` + // The PodSecurityContext to apply to the pod + SecurityContext *PodSecurityContext `hcl:"security_context,block"` } func (p *TaskLauncher) Documentation() (*docs.Documentation, error) { From 2033a9593e36cef72d0fa695b206a85abaa1807a Mon Sep 17 00:00:00 2001 From: krantzinator <8461333+krantzinator@users.noreply.github.com> Date: Tue, 20 Dec 2022 12:53:32 -0500 Subject: [PATCH 4/5] make gen/website-mdx --- embedJson/gen/platform-kubernetes.json | 11 +++++++++++ embedJson/gen/task-kubernetes.json | 11 +++++++++++ .../partials/components/platform-kubernetes.mdx | 4 ++++ .../content/partials/components/task-kubernetes.mdx | 4 ++++ 4 files changed, 30 insertions(+) diff --git a/embedJson/gen/platform-kubernetes.json b/embedJson/gen/platform-kubernetes.json index be9abbd32eb..34bf38b33e7 100644 --- a/embedJson/gen/platform-kubernetes.json +++ b/embedJson/gen/platform-kubernetes.json @@ -632,6 +632,17 @@ "Category": false, "SubFields": null }, + { + "Field": "run_as_group", + "Type": "int64", + "Synopsis": "", + "Summary": "", + "Optional": false, + "Default": "", + "EnvVar": "", + "Category": false, + "SubFields": null + }, { "Field": "run_as_non_root", "Type": "bool", diff --git a/embedJson/gen/task-kubernetes.json b/embedJson/gen/task-kubernetes.json index 11971f0bf20..f2cc50d7142 100644 --- a/embedJson/gen/task-kubernetes.json +++ b/embedJson/gen/task-kubernetes.json @@ -129,6 +129,17 @@ "EnvVar": "", "Category": false, "SubFields": null + }, + { + "Field": "security_context", + "Type": "k8s.PodSecurityContext", + "Synopsis": "", + "Summary": "", + "Optional": false, + "Default": "", + "EnvVar": "", + "Category": false, + "SubFields": null } ], "type": "task", diff --git a/website/content/partials/components/platform-kubernetes.mdx b/website/content/partials/components/platform-kubernetes.mdx index df9a158f194..fb9b4103446 100644 --- a/website/content/partials/components/platform-kubernetes.mdx +++ b/website/content/partials/components/platform-kubernetes.mdx @@ -204,6 +204,10 @@ A special supplemental group that applies to all containers in a pod. - Type: **int64** +###### pod.security_context.run_as_group + +- Type: **int64** + ###### pod.security_context.run_as_non_root Indicates that the container must run as a non-root user. diff --git a/website/content/partials/components/task-kubernetes.mdx b/website/content/partials/components/task-kubernetes.mdx index 5fbc51ea4c0..42d6ffec9dc 100644 --- a/website/content/partials/components/task-kubernetes.mdx +++ b/website/content/partials/components/task-kubernetes.mdx @@ -40,6 +40,10 @@ Memory resource request to be added to the task container. - Type: **k8s.ResourceConfig** +#### security_context + +- Type: **k8s.PodSecurityContext** + ### Optional Parameters These parameters are used in the [`use` stanza](/waypoint/docs/waypoint-hcl/use) for this plugin. From 2bcf414143319a540f832289c0283fc46df0d7b5 Mon Sep 17 00:00:00 2001 From: krantzinator <8461333+krantzinator@users.noreply.github.com> Date: Tue, 20 Dec 2022 12:55:31 -0500 Subject: [PATCH 5/5] update changelog pr number --- .changelog/{3903.txt => 4346.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .changelog/{3903.txt => 4346.txt} (100%) diff --git a/.changelog/3903.txt b/.changelog/4346.txt similarity index 100% rename from .changelog/3903.txt rename to .changelog/4346.txt