Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecurityContext to job container #1875

Merged
merged 2 commits into from
Oct 17, 2023
Merged

Add SecurityContext to job container #1875

merged 2 commits into from
Oct 17, 2023

Conversation

raulcabello
Copy link
Contributor

Make sure the gitjob pod and the job init container runs in an unprivileged securityContext. The following securityContext has been added:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  privileged: false
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
      - ALL

emptyDir volume is mounted in the /tmp dir in order to prevent issues when creating temporary files as readOnlyRootFilesystem is set to true.

emptyDir volume is mounted in the /home/fleet-ci dir in order to prevent issue when creating helm config in the home directory.

refers to #1845

@raulcabello
Add SecurityContext to job container
dad4c59 
Signed-off-by: raul <raul.cabello@suse.com>
@raulcabello raulcabello marked this pull request as ready for review October 17, 2023 10:20
@raulcabello raulcabello requested a review from a team as a code owner October 17, 2023 10:20
aruiz14
aruiz14 reviewed Oct 17, 2023
View reviewed changes
internal/cmd/controller/controllers/git/git.go Outdated
},
{
Name: emptyDirHomeVolumeName,
MountPath: "/home/fleet-apply",
Copy link
Contributor

@aruiz14 aruiz14 Oct 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed offline: I believe we should not assume the user running the container will configure /home/fleet-apply as the home. Better to explicitly set theHOME env. variable as well

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's hard coded: https://github.com/rancher/fleet/blob/master/package/Dockerfile.agent#L4

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added in 73b3e1a

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is now in an env var, so it doesn't break if we change it in the Dockerfile

weyfonk
weyfonk previously approved these changes Oct 17, 2023
View reviewed changes
@raulcabello
Change fleet home dir in fleet apply job
73b3e1a 
Home dir needs to be mounted, so we can write as readOnlyRootFileSystem is true

Signed-off-by: raul <raul.cabello@suse.com>
@manno manno merged commit e1a4fa8 into rancher:master Oct 17, 2023
@manno
Copy link
Member

manno commented Oct 17, 2023

/backport v2.8.0 release/v0.9

@raulcabello raulcabello mentioned this pull request Oct 17, 2023
Merged
@BrewTestBot BrewTestBot mentioned this pull request Jul 17, 2024
Merged
@jisnardo jisnardo mentioned this pull request Sep 20, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manno manno manno approved these changes

@aruiz14 aruiz14 aruiz14 approved these changes

@weyfonk weyfonk weyfonk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@raulcabello @manno @weyfonk @aruiz14