-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add container security context field to DevWorkspace Operator Config #953
Conversation
Codecov ReportBase: 49.52% // Head: 50.18% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #953 +/- ##
==========================================
+ Coverage 49.52% 50.18% +0.65%
==========================================
Files 38 39 +1
Lines 2417 2467 +50
==========================================
+ Hits 1197 1238 +41
- Misses 1095 1103 +8
- Partials 125 126 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
4b35100
to
ddcbd62
Compare
Code looks good to me. I still have a bit of testing to do (had some install issues on my cluster & forgot to check the workspace deployment YAML instead of workspace pod YAML 🤦♂️) but here are my findings so far (tested on OpenShift 4.11 and Minikube):
Things seem fine regarding this point, but I will post an update regarding this once I get a hold of another cluster. I still have to double-check this stays the same when the patch is applied, though it should. For the workspace pod, without the patch applied, the pod SecurityContext was the following: securityContext:
seLinuxOptions:
level: 's0:c20,c10'
fsGroup: 1000400000
seccompProfile:
type: RuntimeDefault And the container SecurityContext: securityContext:
capabilities:
drop:
- ALL
runAsUser: 1000400000
runAsNonRoot: true
allowPrivilegeEscalation: false For the workspace pod, with the patch applied, the pod SecurityContext was the following: securityContext:
seLinuxOptions:
level: 's0:c26,c10'
fsGroup: 1000670000
seccompProfile:
type: RuntimeDefault And the container SecurityContext: securityContext:
capabilities:
drop:
- ALL
runAsUser: 1000670000
runAsNonRoot: true
allowPrivilegeEscalation: false The differences between the patch applied vs. without the patch are the
This worked on both OpenShift and Minikube. On OpenShift, I used the example pod and container security contexts provided in the PR. securityContext:
seLinuxOptions:
level: 's0:c26,c10'
runAsUser: 1000670001
fsGroup: 1000670000
seccompProfile:
type: RuntimeDefault And the container security contexts were: securityContext:
capabilities:
drop:
- ALL
runAsUser: 1000670002
runAsNonRoot: true
allowPrivilegeEscalation: false Note that the values for runAsUser are correctly set. On Minikube, I used the example pod and container security contexts provided in the PR, but also added the KILL capability. securityContext:
runAsUser: 2048
runAsGroup: 0
runAsNonRoot: true
fsGroup: 1234 And the container security contexts were: securityContext:
capabilities:
add:
- SETUID
- SETGID
- KILL Note that the correct capabilities were added (including KILL) and the value of runAsUser was correct.
This seems to work. On Minikube, any unset fields for the pod security context in the DWOC will result in the default values being used. On OpenShift, fields that were not set in the pod security context (such as fsGroup) did not change. With pod SecurityContext set in DWOC: securityContext:
seLinuxOptions:
level: 's0:c26,c10'
runAsUser: 1000670001
fsGroup: 1000670000
seccompProfile:
type: RuntimeDefault Without pod SecurityContext set in DWOC: securityContext:
seLinuxOptions:
level: 's0:c26,c10'
fsGroup: 1000670000
seccompProfile:
type: RuntimeDefault |
Just confirmed that the workspace deployment's security context remains empty ( |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, AObuchow The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ddcbd62
to
6424053
Compare
New changes are detected. LGTM label has been removed. |
pkg/config/defaults.go
Outdated
var defaultKubernetesPodSecurityContext = &corev1.PodSecurityContext{ | ||
RunAsUser: &int64UID, | ||
RunAsGroup: &int64GID, | ||
RunAsNonRoot: &boolTrue, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really necessary, but I just found out you can use "k8s.io/utils/pointer"
and do pointer.BoolPtr(true)
, as well as pointer.Int64Ptr(1234)
.
However, this still wouldn't eliminate the need for the commonStorageSize and perWorkspaceStorageSize variables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a great idea -- we use things like &boolTrue
extensively enough that we should likely fix it repo-wide in a separate PR
6424053
to
21cd024
Compare
Instead of ignoring devworkspace operator config's config.workspace.podSecurityContext on OpenShift, set the currently used value as a default and allow it to be overridden. This can be used to set fields that are permitted to be set on the cluster (e.g. SupplementalGroups) Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Instead of overwriting pod/container security context when configured in the DWOC, use a strategic merge patch to override fields in default only Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
Signed-off-by: Angel Misevski <[email protected]>
21cd024
to
561e097
Compare
/retest |
What does this PR do?
.config.workspace.containerSecurityContext
field to DevWorkspaceOperatorConfig to allow configuring container-level security context for workspace podsWhat issues does this PR fix or reference?
Closes #951
Closes #952
Is it tested? How?
To test:
On Kubernetes, the following DevWorkspaceOperatorConfig fields can be used to test:
This should result in the workspace pod having
runAsUser: 2048
and pod containers having theSETUID
andSETGID
capabilities.On OpenShift, the above DWOC will likely cause the workspace to fail to start. One permissible configuration is to specify a
runAsUser
within the UID range assigned the current project, e.g.(where
1000670000
is the default UID used for running workspace pods).PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che