Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurityPolicy Config fixes to allow runnning in restricted envs. #2967

Merged
merged 1 commit into from
Aug 4, 2020
Merged

PodSecurityPolicy Config fixes to allow runnning in restricted envs. #2967

merged 1 commit into from
Aug 4, 2020

Conversation

skaegi
Copy link
Contributor

@skaegi skaegi commented Jul 19, 2020
edited
Loading

Fixes #2966

Changes

  1. Moves PSP rule from tekton-pipelines-controller-cluster-access ClusterRole to tekton-pipelines-controller Role. This reduces the scope of where the PSP can be used to prevent privilege escalation
  2. Adds PSP rule to tekton-pipelines-webhook to allow the webhook to run when only restricted PSPs are available
  3. Adds runAsNonRoot: false to the securityContext of both the controller and webhook deployments to help PSP choose a rule that will let the pods run-as-root

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • [ N/A] Includes tests (if functionality changed/added)
  • [ N/A ] Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

Release Notes

The tekton-pipelines-controller and tekton-pipelines-controller are now configured to run as a non-root user. To match these reduced requirements, the tekton-pipelines PodSecurityPolicy updates its runAsUser rule to use MustRunAsNonRoot and is further tightened-up to only allow "use" in the tekton-pipelines namespace.

@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 19, 2020
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Jul 19, 2020
edited
Loading

CLA Check
The committers are authorized under a signed CLA.

@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-none Denotes a PR that doesnt merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 19, 2020
@skaegi
Copy link
Contributor Author

skaegi commented Jul 19, 2020

/kind bug

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 19, 2020
@vdemeester
Copy link
Member

/cc @gabemontero

@tekton-robot tekton-robot requested a review from gabemontero July 20, 2020 08:32
@vdemeester
Copy link
Member

@skaegi I think this needs a release-note entry other than NONE though 😛
/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 20, 2020
imjasonh
imjasonh reviewed Jul 20, 2020
View reviewed changes
Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to release noting

config/controller.yaml Outdated Show resolved Hide resolved
dlorenc
dlorenc reviewed Jul 20, 2020
View reviewed changes
Copy link
Contributor

@dlorenc dlorenc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this one could probably use a release note. I can't think if a good way to word it, but in case people see weird permission issues pop up it would be good to have a release note to help them track it back to this change.

@dlorenc
Copy link
Contributor

dlorenc commented Jul 20, 2020

The build error should be fixed now

/test pull-tekton-pipeline-build-tests

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels Jul 21, 2020
@skaegi
PodSecurityPolicy Config fixes to allow runnning in restricted envs.
e2fb678 
Fixes #2966

1. Moves PSP rule from tekton-pipelines-controller-cluster-access ClusterRole to tekton-pipelines-controller Role. This reduces the scope of where the PSP can be used to prevent privilege escalation
2. Adds PSP rule to tekton-pipelines-webhook to allow the webhook to run when only restrice PSPs are provided
3. Update controller and webhook deployments to use... `runAsUser: 1001` instead of `runAsNonRoot: false`
4. Update tekton-pipelines PSP to use `runAsUser -- rule: 'MustRunAsNonRoot'` to further restrict the controller PSP
5. Added `allowPrivilegeEscalation: false` to the deployment template securityContext for tekton-pipelines-controller to match tekton-pipelines-webhook
@skaegi
Copy link
Contributor Author

skaegi commented Jul 21, 2020

updated release notes and squashed for enhanced beauty

@vdemeester
Copy link
Member

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 22, 2020
@gabemontero
Copy link
Contributor

per the ask in AP WG today @skaegi I took another look ... more questions came up than anything else

a) first the easy one ... so far all the changes so far look fine to me, and the needs for them that you cited seem valid to me
b) now, are we interested in how more restricted the policy could be made and still have the various tekton scenarios work?
c) or have you already gone through that exercise @skaegi and this is where you landed?

If the answer to b) is "yes" and c) is "no", I might have some additional suggestions, but at first blush I'm hesitant to go down that path. But if that was your intent when you asked me to look, let me know and we can discuss.

@dlorenc
Copy link
Contributor

dlorenc commented Aug 3, 2020

/approve

This looks good to me! Thanks!

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 3, 2020
vdemeester
vdemeester reviewed Aug 4, 2020
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 4, 2020
@tekton-robot tekton-robot merged commit 9b2a92c into tektoncd:master Aug 4, 2020
gabemontero added a commit to gabemontero/triggers that referenced this pull request Aug 11, 2020
@gabemontero
WIP: port tektoncd/pipeline#2967 to triggers
e32d378
gabemontero added a commit to gabemontero/triggers that referenced this pull request Sep 8, 2020
@gabemontero
WIP: port tektoncd/pipeline#2967 to triggers
dac5547
gabemontero added a commit to gabemontero/triggers that referenced this pull request Oct 8, 2020
@gabemontero
port tektoncd/pipeline#2967 and tektoncd/pipeline#3342 to triggers
db1387d
gabemontero added a commit to gabemontero/triggers that referenced this pull request Oct 8, 2020
@gabemontero
port tektoncd/pipeline#2967 to triggers
164a6f4 
asdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc left review comments

@imjasonh imjasonh imjasonh left review comments

@vdemeester vdemeester vdemeester left review comments

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@gabemontero gabemontero Awaiting requested review from gabemontero

Assignees

@vdemeester vdemeester

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PodSecurityPolicy Config problems running Tekton in a restricted environment
6 participants
@skaegi @vdemeester @dlorenc @gabemontero @tekton-robot @imjasonh