Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new flag set-read-only-root-filesystem to set readOnlyRootFilesys… #1742

Merged
merged 1 commit into from
Aug 5, 2024
Merged

Add new flag set-read-only-root-filesystem to set readOnlyRootFilesys… #1742

merged 1 commit into from
Aug 5, 2024

Conversation

kristofferchr
Copy link
Contributor

@kristofferchr kristofferchr commented Jul 2, 2024
edited
Loading

Solves: #1741
Support to set readOnlyRootFilesystem for EventListener container

Changes

Add new flag set-read-only-root-filesystem.
Sets container securityContext readOnlyRootFilesystem to true when new flag is set to true

Prior to this it was not possible to set readOnlyRootFilesystem for EventListener container. Aligns security towards azure aks best practices and industry

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Added a new flag `el-read-only-root-filesystem` to the `tekton-triggers-controller` container. This flag, which is set to `true` by default, configures the `EventListener` container's `securityContext.readOnlyRootFilesystem` to `true`. This change aligns with Azure AKS best practices and enhances security.

@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Jul 2, 2024
@tekton-robot tekton-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 2, 2024
@tekton-robot
Copy link

Hi @kristofferchr. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Jul 2, 2024
@kristofferchr
Copy link
Contributor Author

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 2, 2024
@kristofferchr
Copy link
Contributor Author

kristofferchr commented Jul 2, 2024
edited
Loading

Unsure if this should have docs. Could not find docs for flag el-security-context

khrm
khrm reviewed Jul 3, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 3, 2024
@kristofferchr kristofferchr force-pushed the 3-set-readonlyrootfilesystem-to-true-in-securitycontext-for-podtemplate-to-eventlistener branch from 1623b5d to c2adf62 Compare July 15, 2024 11:05
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 15, 2024
@kristofferchr
Copy link
Contributor Author

@khrm and/or @savitaashture does any of you have time to spare to review this?

@khrm
Copy link
Contributor

khrm commented Jul 15, 2024

I would review this tomorrow. Sorry for the delay.

khrm
khrm reviewed Jul 17, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks for the PR.

@savitaashture I think we can merge this.

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2024
@khrm
Copy link
Contributor

khrm commented Jul 24, 2024

@savitaashture Let's review this.

@savitaashture
Copy link
Contributor

Hi @kristofferchr 👋
Sorry for the delay
Will take a look at it

@kristofferchr
Copy link
Contributor Author

Hi @kristofferchr 👋

Sorry for the delay

Will take a look at it

Hi 😃 great!

savitaashture
savitaashture reviewed Jul 30, 2024
View reviewed changes
pkg/reconciler/eventlistener/resources/container.go Outdated
Comment on lines 73 to 75
if *c.SetReadOnlyRootFilesystem {
containerSecurityContext.ReadOnlyRootFilesystem = ptr.Bool(true)
}
Copy link
Contributor

@savitaashture savitaashture Jul 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we move this under SetSecurityContext block itself

I mean if SetSecurityContext

if *c.SetSecurityContext {
                if *c.SetReadOnlyRootFilesystem {
		containerSecurityContext.ReadOnlyRootFilesystem = ptr.Bool(true)
	}
		containerSecurityContext = corev1.SecurityContext{
			AllowPrivilegeEscalation: ptr.Bool(false),
			Capabilities: &corev1.Capabilities{
				Drop: []corev1.Capability{"ALL"},
			},
			RunAsNonRoot: ptr.Bool(cfg.Defaults.DefaultRunAsNonRoot),
			SeccompProfile: &corev1.SeccompProfile{
				Type: corev1.SeccompProfileTypeRuntimeDefault,
			},
		}
	}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine by me. I will update the flag docs to note that the flag can only be used when el-security-context is set.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated @savitaashture

@kristofferchr
Add new flag set-read-only-root-filesystem to set readOnlyRootFilesys…
5311d75 
…em for EventListener

Add new flag set-read-only-root-filesystem.
Sets container securityContext readOnlyRootFilesystem to true when new flag is set to true

Prior to this it was not possible to set readOnlyRootFilesystem for EventListener container.
Aligns security towards azure aks best practices and industry
@kristofferchr kristofferchr force-pushed the 3-set-readonlyrootfilesystem-to-true-in-securitycontext-for-podtemplate-to-eventlistener branch from c2adf62 to 5311d75 Compare August 1, 2024 10:48
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 1, 2024
savitaashture
savitaashture approved these changes Aug 2, 2024
View reviewed changes
Copy link
Contributor

@savitaashture savitaashture left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @kristofferchr

@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: savitaashture

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2024
@savitaashture
Copy link
Contributor

@savitaashture Let's review this.

@khrm can you do lgtm again

khrm
khrm reviewed Aug 5, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 5, 2024
@tekton-robot tekton-robot merged commit 2474af6 into tektoncd:main Aug 5, 2024
6 checks passed
@kristofferchr kristofferchr deleted the 3-set-readonlyrootfilesystem-to-true-in-securitycontext-for-podtemplate-to-eventlistener branch August 5, 2024 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khrm khrm khrm left review comments

@savitaashture savitaashture savitaashture approved these changes

Assignees

@khrm khrm

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kristofferchr @tekton-robot @khrm @savitaashture