Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defaultworkflow securitycontext is not applied #3767

Closed
juliusvonkohout opened this issue Aug 13, 2020 · 5 comments
Closed

defaultworkflow securitycontext is not applied #3767

juliusvonkohout opened this issue Aug 13, 2020 · 5 comments
Labels
type/bug

Comments

@juliusvonkohout
Copy link
Contributor

juliusvonkohout commented Aug 13, 2020
edited
Loading

Summary

The workflowDefaults as are not applied. I used https://github.com/argoproj/argo/blob/master/docs/default-workflow-specs.md as reference.

I am using Kubeflow pipelines generated workflows. I manually added the security context in the yaml file and it is correctly applied.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: sum-pipeline-
  annotations: {pipelines.kubeflow.org/kfp_sdk_version: 1.0.0, pipelines.kubeflow.org/pipeline_compilation_time: '2020-08-13T14:28:09.080167',
    pipelines.kubeflow.org/pipeline_spec: '{"inputs": [{"default": "100000", "name":
      "count", "optional": true, "type": "Integer"}], "name": "Sum pipeline"}'}
  labels: {pipelines.kubeflow.org/kfp_sdk_version: 1.0.0}
spec:
  entrypoint: sum-pipeline
  templates:
  - name: print-text
    container:
      args: [--text, /tmp/inputs/text/data]
      command:
      - python3
      - -u
      - -c
      - |
        def print_text(text_path): # Kubeflows InputPath() supports strings and files
            import time
            time.sleep(15)
            '''Print file'''
            with open(text_path, 'r') as reader:
                for line in reader:
                    print(line, end = '')

        import argparse
        _parser = argparse.ArgumentParser(prog='Print text', description='')
        _parser.add_argument("--text", dest="text_path", type=str, required=True, default=argparse.SUPPRESS)
        _parsed_args = vars(_parser.parse_args())

        _outputs = print_text(**_parsed_args)
      image: python:3.7
      securityContext:
        runAsUser: 1001
        RunAsGroup: 1001
        supplementalGroups: 1001
        fsGroup: 1001
    inputs:
      artifacts:
      - {name: write-numbers-1-numbers, path: /tmp/inputs/text/data}
    metadata:
      annotations: {pipelines.kubeflow.org/component_spec: '{"implementation": {"container":
          {"args": ["--text", {"inputPath": "text"}], "command": ["python3", "-u",
          "-c", "def print_text(text_path): # Kubeflows InputPath() supports strings
          and files\n    import time\n    time.sleep(15)\n    ''''''Print file''''''\n    with
          open(text_path, ''r'') as reader:\n        for line in reader:\n            print(line,
          end = '''')\n\nimport argparse\n_parser = argparse.ArgumentParser(prog=''Print
          text'', description='''')\n_parser.add_argument(\"--text\", dest=\"text_path\",
          type=str, required=True, default=argparse.SUPPRESS)\n_parsed_args = vars(_parser.parse_args())\n\n_outputs
          = print_text(**_parsed_args)\n"], "image": "python:3.7"}}, "inputs": [{"name":
          "text"}], "name": "Print text"}', pipelines.kubeflow.org/component_ref: '{}'}
  - name: print-text-2
    container:
...

I tried to add a securitycontext to all main/user containers of all workflows by default, but it is just ignored.

apiVersion: v1
data:
  config: |
    {
    namespace: kubeflow,
    executorImage: gcr.io/ml-pipeline/argoexec:v2.7.5-license-compliance,
    containerRuntimeExecutor: pns,
    workflowDefaults: {
      spec: {
        container: {
          securityContext: {
            runAsUser: 1002
          }
        }
      }
    },
    artifactRepository:
...

Diagnostics

What version of Argo Workflows are you running? 2.7.5

workflow-controller.log

workflow.txt

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
@alexec
Copy link
Contributor

alexec commented Aug 14, 2020

The spec under workflowsDefault appears to be invalid. It must be a fully formed workflow spec.

I'm assuming you want to apply this security context to every pod? I'm not sure this is possible. It would be good to know more about your use case.

@juliusvonkohout
Copy link
Contributor Author

Yes, i want to apply that security context to every user container, but not the argoexec container.
I have to treat every submited workflow as malicious (company policy). So i have to make sure the user container does not run as root.

@alexec
Copy link
Contributor

alexec commented Aug 14, 2020

This would be a new feature, but it maybe you can active this another way?

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

@juliusvonkohout
Copy link
Contributor Author

juliusvonkohout commented Aug 14, 2020
edited
Loading

Ok, that is sad. Could you consider adding SYS_CHROOT like SYS_PTRACE to the argoexec pod, as done here #1214 ? SYS_CHROOT is needed for the PNS executor and would help to make the PSP more secure. I am currently running kubeflow pipelines including argo without!!! any root containers using PSP and manually built images.

This was referenced Aug 14, 2020
Closed
Merged
@juliusvonkohout
Copy link
Contributor Author

You are amazing! i hope you do a release soon :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexec @juliusvonkohout