-
-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simple security context options (Kubernetes) #2550
Simple security context options (Kubernetes) #2550
Conversation
@dominic-p, could you test it and maybe write some docs? |
3e9089f
to
d6f06ec
Compare
Thanks for working on this! Yes, I'd be happy to test and write up some docs. Two questions:
|
@dominic-p I approved the pipeline to run now. |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2550 +/- ##
==========================================
- Coverage 34.03% 33.88% -0.16%
==========================================
Files 217 217
Lines 13825 13890 +65
==========================================
+ Hits 4706 4707 +1
- Misses 8746 8809 +63
- Partials 373 374 +1 ☔ View full report in Codecov by Sentry. |
@qwerty287 thanks for doing that. I was able to test the PR. Here's what I'm seeing:
backend_options:
kubernetes:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containerSecurityContext:
runAsUser: 1000 That said, my vote would be to just support setting the Pod level
|
I wonder how much we want to bake into the |
@dominic-p, you're right 1, 2. I did it yesterday, but faced issue with stucking pipeline. I'm figuring it out now. I made one security context:
@pat-s, why should it be ported to the helm chart?
Do you mean, I should add
¯_(ツ)_/¯ Probably, all Kube spec 🤣 Seriously, at least I plan to add seccomp and AppArmor. @dominic-p, what of simple SC options (above) do you need and what we can get rid of (except |
1e682fa
to
caf8db3
Compare
Added Pipeline:
Pod:
|
Yes. I think in 99% of all cases you want to have these options set on the instance level and not on the step level. Individual overrides are always good to have though. I think we should add all options at the same time, otherwise people will start to use this notation at first as there are no global options available.
Fair enough. Again, having them on the step level is certainly not bad for granular config. |
@zc-devs for my use case I just need I would hesitate to combine Pod and container level config in the same object just because as a user I wouldn't be sure which one I was setting. That said, it's probably mostly a matter of style/preference in a single container Pod. As for global options in the helm chart, I agree with @zc-devs. If I have multiple steps running in different containers, it's very unlikely that they are all going to need to run as the same UID/GID, for instance. I would still need to configure/override some of the settings at the |
Test with
Error:
Pod:
Pod:
|
It's abstraction here which doesn't have to match 1:1 with Kubernetes. Also as a step is a pod with only one container now, there is no reason to make things more complex.
Agree, it doesn't make sense to have user and group options agent-wide. Consider this, I added only
Then Pod Security Admission will help, I think. |
@zc-devs that all makes sense to me. If we run the CI again, I can smoke test the revisions on my cluster. Once everyone's settled on the semantics for the config I can submit a PR with some docs. |
@pat-s, could you add |
…ontext # Conflicts: # pipeline/schema/schema.json
for more information, see https://pre-commit.ci
@zc-devs Your PR images are finally ready! |
Thanks. |
Sorry for the radio silence here. I've been stuck working on a pretty consuming project the last couple weeks. That's wrapping up now, so I should be able to test this in the next day or two. |
Ok, I was finally able to test this tonight. It looks good to me. I'm still not able to run my particular pipeline as we're still missing AppArmor functionality, but the security context setting seem to be working as expected. Thanks so much for your work on this. Did you want me to take a stab at some documentation on this for the website? |
Yeah, that would be great! |
The new docs explain how to use the recently introduced kubernetes backend option to set the security context for pipeline steps. See woodpecker-ci#2550
Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-2550.surge.sh |
@qwerty287, could you review again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, looks good so far. Didn't test. And as I wrote already on other PR: I can't really say something about kubernetes-specific stuff
I'm merging now. If there are still issues we can fix them later |
The new docs explain how to use the recently introduced kubernetes backend option to set the security context for pipeline steps. See #2550 --------- Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
## [2.1.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/2.1.0) - 2023-12-26 ### ✨ Features - Add pull request closed event [[#2684](#2684)] - Add depends_on support for steps [[#2771](#2771)] - gitlab: support nested repos [[#2981](#2981)] - Support go plugins for forges and agent backends [[#2751](#2751)] ### 📈 Enhancement - Show default branch on top [[#3019](#3019)] - Support more addon types [[#2984](#2984)] - Hide PR tab if PRs are disabled [[#3004](#3004)] - Switch to ULID [[#2986](#2986)] - Ignore pipelines without config [[#2949](#2949)] - Link labels to input and select [[#2974](#2974)] - Register Agent with hostname [[#2936](#2936)] - Update slogan & logo [[#2962](#2962)] - Improve error handling when activating a repository [[#2965](#2965)] - Add check for storage where repo/org name is empty [[#2968](#2968)] - Update pipeline icons [[#2783](#2783)] - Kubernetes refactor [[#2794](#2794)] - Export changed files via builtin environment variables [[#2935](#2935)] - Show secrets from org and global level [[#2873](#2873)] - Only update pipelineStatus in one place [[#2952](#2952)] - Rename `engine` to `backend` [[#2950](#2950)] - Add linting for `log.Fatal()` [[#2946](#2946)] - Remove separate root path config [[#2943](#2943)] - init CI_COMMIT_TAG if commit ref is a tag [[#2934](#2934)] - Update go module path for major version 2 [[#2905](#2905)] - Unify date/time dependencies [[#2891](#2891)] - Add linting for `any` [[#2893](#2893)] - Fix vite deprecations [[#2885](#2885)] - Migrate to Xormigrate [[#2711](#2711)] - Simple security context options (Kubernetes) [[#2550](#2550)] - Changes PullRequest Index to ForgeRemoteID type [[#2823](#2823)] ### 🐛 Bug Fixes - Hide queue visualization if nothing to show [[#3003](#3003)] - fix and lint swagger file [[#3007](#3007)] - Fix IPv6 host aliases for kubernetes [[#2992](#2992)] - Fix cli lint throwing error on warnings [[#2995](#2995)] - Fix static file caching [[#2975](#2975)] - Gitea driver: ignore GetOrg error if we get a valid user. [[#2967](#2967)] - feat(k8s): Add a port name to service definition [[#2933](#2933)] - Fix error container overflow [[#2957](#2957)] - ignore some errors on repairAllRepos [[#2792](#2792)] - Allow to restart pipelines that has warnings [[#2939](#2939)] - Fix skipped pipelines model [[#2923](#2923)] - fix: Add `backend_options` to service linter entry [[#2930](#2930)] - Fix flags added multiple times [[#2914](#2914)] - Fix schema validation with array syntax for clone and services [[#2920](#2920)] - Fix prometheus docs [[#2919](#2919)] - Fix podman agent container in v2 [[#2897](#2897)] - Fix bitbucket org fetching [[#2874](#2874)] - Only deploy docs on `main` [[#2892](#2892)] - Fix pipeline-related environment [[#2876](#2876)] - Fix version check partially [[#2871](#2871)] - Fix unregistering agents when using agent tokens [[#2870](#2870)] ### 📚 Documentation - [Awesome Woodpecker] added yet another autoscaler [[#3011](#3011)] - Add cookbook blog and improve docs [[#3002](#3002)] - Replace multi-pipelines with workflows on docs frontpage [[#2990](#2990)] - Update README badges [[#2956](#2956)] - Update 20-kubernetes.md [[#2927](#2927)] - Add release documentation to CONTRIBUTING [[#2917](#2917)] - Add nix-attic plugin to the index [[#2889](#2889)] - Add usage with Tunnelmole to docs [[#2881](#2881)] - Improve code blocks in docs [[#2879](#2879)] - Add a blog post [[#2877](#2877)] - Add documentation on Kubernetes securityContext [[#2822](#2822)] - Add default page to categories [[#2869](#2869)] - Use same format for Github docs as used for the other forges [[#2866](#2866)] ### Misc - chore(deps): update dependency isomorphic-dompurify to v2 [[#3001](#3001)] - fix(deps): update dependency @intlify/unplugin-vue-i18n to v2 [[#2998](#2998)] - Fix go in gitpod [[#2973](#2973)] - fix(deps): update module google.golang.org/grpc to v1.60.1 [[#2969](#2969)] - chore(deps): update docker.io/alpine docker tag to v3.19 [[#2970](#2970)] - Fix broken gated repos [[#2959](#2959)] - fix(deps): update golang (packages) [[#2958](#2958)] - Update docker.io/techknowlogick/xgo Docker tag to go-1.21.5 [[#2926](#2926)] - Update docker.io/golang Docker tag to v1.21.5 [[#2925](#2925)] - Lock file maintenance [[#2910](#2910)] - Update web npm deps non-major [[#2909](#2909)] - Update docs npm deps non-major [[#2908](#2908)] - Update golang (packages) [[#2904](#2904)] - Update module github.com/google/go-github/v56 to v57 [[#2899](#2899)] - Update dependency marked to v11 [[#2898](#2898)] - Update dependency vite-svg-loader to v5 [[#2837](#2837)] - Update golang (packages) [[#2894](#2894)] - Update web npm deps non-major [[#2895](#2895)] - Update web npm deps non-major [[#2884](#2884)] - Update docker.io/woodpeckerci/plugin-docker-buildx Docker tag to v2.2.1 [[#2883](#2883)]
Part of #2545
Adds security context options:
privileged
,runAsUser
,runAsGroup
,runAsNonRoot
,readOnlyRootFilesystem
,allowPrivilegeEscalation
.Pipeline:
Log:
Pod:
Step output: