Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Add AllowPrivilegeEscalation to container's securityContext #450

Merged
merged 9 commits into from
Oct 25, 2020
Merged

[Feature] Add AllowPrivilegeEscalation to container's securityContext #450

merged 9 commits into from
Oct 25, 2020

Conversation

captnbp
Copy link
Contributor

@captnbp captnbp commented Oct 20, 2020

PR summary

KubeSpawner can spawn pods and container's with a securityContext field set.

The notebook container can only be set with the following security features:

  • run_as_uid
  • run_as_gid
  • fs_gid
  • supplemental_gids
  • run_privileged

But in some restrained security context, we need to disable privilege escalation for the notebook container.
By default, AllowPrivilegeEscalation is kept as True. We need a way to set it to False if needed.

Proposed change

Add allow_privilege_escalation flag to be able to set it to False.

The target flags will be:

  • run_as_uid
  • run_as_gid
  • fs_gid
  • supplemental_gids
  • run_privileged
  • allow_privilege_escalation

Who would use this feature?

People with restrained security context, even for notebook container.

@welcome
Copy link

welcome bot commented Oct 20, 2020

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@captnbp
Copy link
Contributor Author

captnbp commented Oct 20, 2020

Will fix failing checks tomorrow.

@yuvipanda
Copy link
Collaborator

Thank you very much for the PR, @captnbp! I do this all the time to my own deployments, very highly recommended.

Will happily merge this once the tests are fixed.

@captnbp
Copy link
Contributor Author

captnbp commented Oct 25, 2020

@yuvipanda all checks passed ! :-)

consideRatio
consideRatio reviewed Oct 25, 2020
View reviewed changes
tests/conftest.py Outdated Show resolved Hide resolved
@consideRatio consideRatio merged commit 44d638b into jupyterhub:master Oct 25, 2020
@welcome
Copy link

welcome bot commented Oct 25, 2020

Congrats on your first merged pull request in this project! 🎉
congrats
Thank you for contributing, we are very proud of you! ❤️

@consideRatio
Copy link
Member

consideRatio commented Oct 25, 2020
edited
Loading

Thank you @captnbp! 🎉 ❤️ 🌻 !!

@consideRatio consideRatio mentioned this pull request Oct 25, 2020
Closed
@minrk minrk mentioned this pull request Feb 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@consideRatio consideRatio consideRatio left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@captnbp @yuvipanda @consideRatio