Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecurityContext to reconciled Deployment #862

Merged
merged 1 commit into from
Dec 15, 2020
Merged

Add SecurityContext to reconciled Deployment #862

merged 1 commit into from
Dec 15, 2020

Conversation

MarcelMue
Copy link
Member

@MarcelMue MarcelMue commented Dec 14, 2020
edited
Loading

Changes

Adds a SecurityContext to the created Deployment - changes match those suggested here: #781

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
    - [x] Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

Add a security context on event listener deployments to prevent issues with restrictive default PSPs.

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Dec 14, 2020
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Dec 14, 2020
edited
Loading

CLA Signed

The committers are authorized under a signed CLA.

@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Dec 14, 2020
@tekton-robot
Copy link

Hi @MarcelMue. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 14, 2020
@bigkevmcd
Copy link
Member

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 14, 2020
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 79.2% 82.7% 3.5

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 79.2% 82.7% 3.5

@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 79.2% 78.6% -0.6

@MarcelMue
Copy link
Member Author

Sorry for the dumb questions but this is my first time contributing to tekton upstream:

  1. Is this user facing? I would say yes because the behaviour does change slightly - not sure though.
  2. CI is taking really long to run - is this expected or is something wrong with my PR?
  3. I want to squash commits when I think changes are ready to merge - is that okay?

@MarcelMue MarcelMue marked this pull request as ready for review December 14, 2020 20:12
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 14, 2020
@dibyom
Copy link
Member

dibyom commented Dec 14, 2020

Thanks for opening the PR @MarcelMue :)

Is this user facing? I would say yes because the behaviour does change slightly - not sure though.

Yeah I'd agree. We should add a release note to the PR description like in #789

CI is taking really long to run - is this expected or is something wrong with my PR?

It should take a few mins. Looks like its reporting that its still running after an hour. I'll retrigger the tests (I've seen this happen a few times before)

I want to squash commits when I think changes are ready to merge - is that okay?

Yes, that's ok!

@dibyom
Copy link
Member

dibyom commented Dec 14, 2020

/retest

@MarcelMue MarcelMue force-pushed the add-security-context branch from c8a4e19 to eae5212 Compare December 14, 2020 21:40
@tekton-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/v1alpha1/eventlistener/eventlistener.go 79.2% 78.6% -0.6

@dibyom
Copy link
Member

dibyom commented Dec 15, 2020

/approve
/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 15, 2020
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 15, 2020
@tekton-robot tekton-robot merged commit 0a9df14 into tektoncd:master Dec 15, 2020
@MarcelMue MarcelMue deleted the add-security-context branch December 15, 2020 09:25
@dibyom dibyom mentioned this pull request Dec 15, 2020
Merged
4 tasks
@vdemeester
Copy link
Member

@dibyom so… this breaks OpenShift. As this is user facing, I would have suggested to add a way to configure this behavior somehow (and disable it in some cases)

@MarcelMue
Copy link
Member Author

@dibyom so… this breaks OpenShift. As this is user facing, I would have suggested to add a way to configure this behavior somehow (and disable it in some cases)

Interesting - can you elaborate to me how it breaks OpenShift (I have never worked with it)?

I assumed this was safe because it is on master yamls without being configurable - e.g.:

triggers/config/controller.yaml

Lines 78 to 81 in 0a9df14

securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532

@vdemeester vdemeester mentioned this pull request Dec 16, 2020
Closed
@vdemeester
Copy link
Member

Hey @MarcelMue, more detail in #864, but in a gist, OpenShift needs some "extra rights" to be able to set a given uid to a Pod. By default, OpenShift does use a random uid, and it works just fine for the eventlistener pods. This changes forces to attach to the eventlistener pod a serviceAccount with anyuid — which adds a little bit of burden to operators of tektoncd/triggers instances (and even more to the user if one wants to add its own ServiceAccount if that's possible).

@vdemeester
Copy link
Member

I assumed this was safe because it is on master yamls without being configurable - e.g.:

triggers/config/controller.yaml

Lines 78 to 81 in 0a9df14

securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532

Indeed 😉 This is another small problem that we may have, but when we package Tekton for OpenShift, we do control the payload that we apply and thus we can safely remove that part (runAsUser) — but we do not control the code that is in tektoncd/triggers, so there is no easy way to remove the runAsUser set by the code in that PR.

@MarcelMue note that, I am 100% for this change in standard k8s. We just need to find a way to disable this behavior on demand (but having it enabled by default in a standard distribution of tektoncd).

@dbazhal
Copy link

dbazhal commented Apr 8, 2021
edited
Loading

definitely it broken our triggers in openshift with "unable to validate against any security context constraint: [spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must be in the ranges: [1000750000, 1000759999]]"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iancoffey iancoffey Awaiting requested review from iancoffey

@khrm khrm Awaiting requested review from khrm

Assignees

@dibyom dibyom

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@MarcelMue @tekton-robot @bigkevmcd @dibyom @vdemeester @dbazhal