From 142a62a8cf2a496249c324b8fde1f67f86fd0cfb Mon Sep 17 00:00:00 2001 From: Vishal Tak Date: Sat, 29 Apr 2023 11:39:23 +0530 Subject: [PATCH] Set the user id, group id and file system group of kubernetes resources Explicitly set the flags to indicate that the container should not run as root. --- .../workspaces/reconcile/devfile_parser.rb | 53 ++++++++++++++++++- .../remote_development_shared_contexts.rb | 46 ++++++++++++++++ 2 files changed, 97 insertions(+), 2 deletions(-) diff --git a/ee/lib/remote_development/workspaces/reconcile/devfile_parser.rb b/ee/lib/remote_development/workspaces/reconcile/devfile_parser.rb index 07a34120223064..04473d18142f54 100644 --- a/ee/lib/remote_development/workspaces/reconcile/devfile_parser.rb +++ b/ee/lib/remote_development/workspaces/reconcile/devfile_parser.rb @@ -7,7 +7,7 @@ module Workspaces module Reconcile class DevfileParser def get_all(processed_devfile:, name:, namespace:, replicas:, domain_template:, labels:, annotations:) - workspace_resources = Devfile::Parser.get_all( + workspace_resources_yaml = Devfile::Parser.get_all( processed_devfile, name, namespace, @@ -17,7 +17,56 @@ def get_all(processed_devfile:, name:, namespace:, replicas:, domain_template:, domain_template, 'none' ) - YAML.load_stream(workspace_resources) + workspace_resources = YAML.load_stream(workspace_resources_yaml) + set_security_context(workspace_resources: workspace_resources) + end + + private + + # Devfile library allows specifying the security context of pods/containers as mentioned in + # https://github.com/devfile/api/issues/920 through `pod-overrides` and `container-overrides` attributes. + # However, https://github.com/devfile/library/pull/158 which is implementing this feature, + # is not part of v2.2.0 which is the latest release of the devfile which is being used in the devfile-gem. + # TODO: Once devfile library releases a new version, update the devfile-gem and + # move the logic of setting the security context in the `devfile_processor` as part of workspace creation. + # issue https://gitlab.com/gitlab-org/gitlab/-/issues/409189 + def set_security_context(workspace_resources:) + run_as_user = 1001 + run_as_group = 1001 + fs_group = 1001 + workspace_resources.each do |workspace_resource| + next unless workspace_resource['kind'] == 'Deployment' + + pod_spec = workspace_resource['spec']['template']['spec'] + # Explicitly set security context for the pod + pod_spec['securityContext'] = { + 'runAsNonRoot' => true, + 'runAsUser' => run_as_user, + 'runAsGroup' => run_as_group, + 'fsGroup' => fs_group + } + # Explicitly set security context for all containers + pod_spec['containers'].each do |container| + container['securityContext'] = { + 'allowPrivilegeEscalation' => false, + 'privileged' => false, + 'runAsNonRoot' => true, + 'runAsUser' => run_as_user, + 'runAsGroup' => run_as_group + } + end + # Explicitly set security context for all init containers + pod_spec['initContainers'].each do |init_container| + init_container['securityContext'] = { + 'allowPrivilegeEscalation' => false, + 'privileged' => false, + 'runAsNonRoot' => true, + 'runAsUser' => run_as_user, + 'runAsGroup' => run_as_group + } + end + end + workspace_resources end end end diff --git a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb index 2e985fe8160b85..df94f6736f69db 100644 --- a/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb +++ b/ee/spec/support/shared_contexts/remote_development/remote_development_shared_contexts.rb @@ -318,6 +318,12 @@ def create_workspace_agent_info( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 initContainers: - args: ["if [ ! -d /projects/test-project ]; then git clone -b master #{root_url}test-group/test-project.git /projects/test-project; fi"] command: ["/bin/sh", "-c"] @@ -339,6 +345,12 @@ def create_workspace_agent_info( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 - env: - name: EDITOR_VOLUME_DIR value: "/projects/.gl-editor" @@ -359,10 +371,21 @@ def create_workspace_agent_info( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 volumes: - name: gl-workspace-data persistentVolumeClaim: claimName: #{workspace_name}-gl-workspace-data + securityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 status: #{status.indent(2)} RESOURCES_YAML @@ -471,6 +494,12 @@ def create_config_to_apply( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 initContainers: - args: ["if [ ! -d /projects/test-project ]; then git clone -b master #{root_url}test-group/test-project.git /projects/test-project; fi"] command: ["/bin/sh", "-c"] @@ -492,6 +521,12 @@ def create_config_to_apply( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 - env: - name: EDITOR_VOLUME_DIR value: "/projects/.gl-editor" @@ -512,10 +547,21 @@ def create_config_to_apply( volumeMounts: - mountPath: "/projects" name: gl-workspace-data + securityContext: + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 volumes: - name: gl-workspace-data persistentVolumeClaim: claimName: #{workspace_name}-gl-workspace-data + securityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 status: {} --- apiVersion: v1 -- GitLab