Using repository trust in security contexts #3538
Conversation
|
As it uses step's |
|
@zc-devs bugfix or enhancement :) |
As a user I would call #3537 a bug => bugfix. I also should have notified, that I did not test it. If code looks good, then I would request image to test by me and probably @everflux. BTW, I noticed the same error as I almost always face. This occurs not only with |
6543
added
build_pr_images
|
Happy to test it out, do you have a pullable image? |
| @@ -464,6 +480,15 @@ func mapToEnvVars(m map[string]string) []v1.EnvVar { | |||
| return ev | |||
| } | |||
|
|
|||
| func isRepoTrusted(step *types.Step) bool { | |||
| // TODO: probably, should be stored in the model (pipeline/backend/types/config.go) | |||
| trustedRepo, err := strconv.ParseBool(step.Environment["CI_REPO_TRUSTED"]) | |||
There was a problem hiding this comment.
Is it safe to read it from the env? It can't be overwritten by users?
There was a problem hiding this comment.
Is it safe to read it from the env?
¯_(ツ)_/¯
Elaborate, please.
Do you suggest to use dedicated variable in pipeline/backend/types/config.go?
What is the difference between env var (one map's entry) vs dedicated variable?
It can't be overwritten by users?
Seems, not for now, at least: #3164.
There was a problem hiding this comment.
Elaborate, please.
Do you suggest to use dedicated variable in pipeline/backend/types/config.go?
Right now I have not suggested anything :) I just asked if it is safe to read a security-related setting from an env var. If only the server can set it, and it can't be overwritten by the pipeline config, I'm fine with it, but it might increase the possibilities to become an issue in the future.
There was a problem hiding this comment.
Yes, might be an issue. Depends on #3164 implementation.
So, what are we gonna do?
There was a problem hiding this comment.
IMO, the clean solution would be to pass down the repo settings to the backend similar to Environment e.g.
Step.RepoSettings.
|
Pipeline: skip_clone: true
steps:
server:
image: alpine
commands:
- echo Hello
- sleep 60
backend_options:
kubernetes:
securityContext:
privileged: true
runAsUser: 0
runAsGroup: 0woodpecker-agent.log |
|
Thanks for looking into it this quickly. |
|
Successfully tested the prebuilt image with buildx plugin. Only setting "trusted repository" and no additional "privileged" setting on the workflow or workflow.backend level. Nice! |
IIRC running a trusted plugin (with a privileged container) shouldn't require the repository to be trusted? |
|
I would be really happy if this could be included in 2.5.0 and any further changes could be discussed separately. (For example should escalated plugins be treated as trusted implicitly, would handling of volumes differently from privileged make sense etc) |
Now, Buildx plugin should work without "trusted repository" as it was before, on |
|
Any chance this could be merged into a 2.4.x release? |
|
Probably not, but if this is merged you can use |
|
Too bad, I have a training planned on April 9th... |
|
That exists already https://hub.docker.com/layers/woodpeckerci/woodpecker-server/pull_3538-alpine/images/sha256-ed7b0918be40787a5d4293a372195b3dedab165b63d2189a0585c2e64efaf20b?context=explore |
|
Thanks for the proposal, but that won't suffice (mixed user base with apple arm64 and amd64 architectures). No worries, though, I can use drone instead, the concepts are similar enough. And I don't want to cause additional effort in any way, I was just hoping for a point release before 2.5. |
|
I would be ok merging this to allow @everflux to possible use WP on April 9th (if not too late). Besides, I am seeing the same issues on our PROD instance with more than 50+ files I would need to adapt on a mixed cluster, hence I am also having a strong need for a fix that restores 2.3.x functionality. If not everything is working percectly yet we can still iterate until 2.5.x but in the meantime allow for a workaround via @zc-devs Merging main caused some build failures now. In addition, |
|
Not perfectly working and introducing another security issue again is a difference 🙂 if we are sure reading the repo trust setting from the env var and it cant be manipulated by end users feel free to go on. |
# Conflicts: # pipeline/backend/kubernetes/pod.go
Fixed.
TBH, I don't want to put my dirty hands in the "core". And definitely won't before majority agreed on implementation or at least said something on topic. |
|
Fully agree on that but the PR should not be merged untill the majority agreed than as well. |
|
@zc-devs @xoxys It seems one conversation from you is still open (see above). How can we make progress there? If this doesn't make it into 2.5.0 (release date tomorrow), 2.5.0 will also be unusable as 2.4.x for folks coming from 2.3.x without touching many workflow files. The current situation is therefore a bit suboptimal. If we can't find an agreement, I'd also consider reverting the backend change in 2.4 and restore the 2.3 behavior and include the proposed changes of this PR in a new/updated approach? |
|
I think, Xoxys and I have met agreement. Moreover, I'm on his side in general (otherwise didn't leave the TODO).
It can be merged as is by deadline. At least I cannot develop in next few days.
You cannot. |
I know about the issue but that doesn't mean it is not revertable at all. Anyone can still run and install any WP version (even the ones including the mentioned flaws). But anyway, as this is not the main goal here, let's focus on getting this one here merged and move onward. |
|
Perhaps the release could wait for resolving this issue? |
|
As bug is fixed in #3711 and there is no solution for review's concern, I'm closing the PR for now. |
|
Tearing down https://woodpecker-ci-woodpecker-pr-3538.surge.sh |
Addresses #3537 (comment)
Require a trusted repo to be able to configure the security context similar to how the docker backend requires a trusted repo to set options like volumes, privileged, ...