Set the scripts dir to readonly after init

The scripts dir only needs to be writable during `place-scripts` Previously you could replace the script of other steps before they're ran and this mitigates that issue
tektoncd · Aug 17, 2021 · 89a6233 · 89a6233
1 parent f0a2f00
commit 89a6233
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/pkg/pod/pod_test.go b/pkg/pod/pod_test.go
@@ -652,7 +652,7 @@ func TestPodBuild(t *testing.T) {
 					Name:         "place-scripts",
 					Image:        "busybox",
 					Command:      []string{"sh"},
-					VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+					VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 					Args: []string{"-c", `scriptfile="/tekton/scripts/sidecar-script-0-9l9zj"
 touch ${scriptfile} && chmod +x ${scriptfile}
 cat > ${scriptfile} << '_EOF_'
@@ -910,7 +910,7 @@ IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCnByaW50KCJIZWxsbyBmcm9tIFB5dGhvbiIp
 _EOF_
 /tekton/tools/entrypoint decode-script "${scriptfile}"
 `},
-					VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+					VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 				},
 			},
 			Containers: []corev1.Container{{
@@ -1035,7 +1035,7 @@ IyEvYmluL3NoCiQk
 _EOF_
 /tekton/tools/entrypoint decode-script "${scriptfile}"
 `},
-				VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+				VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 			}},
 			Containers: []corev1.Container{{
 				Name:    "step-one",

diff --git a/pkg/pod/script.go b/pkg/pod/script.go
@@ -48,6 +48,12 @@ var (
 	scriptsVolumeMount = corev1.VolumeMount{
 		Name:      scriptsVolumeName,
 		MountPath: scriptsDir,
+		ReadOnly:  true,
+	}
+	writeScriptsVolumeMount = corev1.VolumeMount{
+		Name:      scriptsVolumeName,
+		MountPath: scriptsDir,
+		ReadOnly:  false,
 	}
 	debugScriptsVolume = corev1.Volume{
 		Name:         debugScriptsVolumeName,
@@ -78,7 +84,7 @@ func convertScripts(shellImage string, steps []v1beta1.Step, sidecars []v1beta1.
 		Image:        shellImage,
 		Command:      []string{"sh"},
 		Args:         []string{"-c", ""},
-		VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+		VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 	}
 
 	breakpoints := []string{}

diff --git a/pkg/pod/script_test.go b/pkg/pod/script_test.go
@@ -177,7 +177,7 @@ IyEvYmluL3NoCnNldCAteGUKbm8tc2hlYmFuZw==
 _EOF_
 /tekton/tools/entrypoint decode-script "${scriptfile}"
 `},
-		VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+		VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 	}
 	want := []corev1.Container{{
 		Image:        "step-1",
@@ -316,7 +316,7 @@ else
 fi
 debug-fail-continue-heredoc-randomly-generated-6nl7g
 `},
-		VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount, debugScriptsVolumeMount},
+		VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount, debugScriptsVolumeMount},
 	}
 	want := []corev1.Container{{
 		Image:   "step-1",
@@ -408,7 +408,7 @@ IyEvYmluL3NoCnNpZGVjYXItMQ==
 _EOF_
 /tekton/tools/entrypoint decode-script "${scriptfile}"
 `},
-		VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount},
+		VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 	}
 	want := []corev1.Container{{
 		Image:        "step-1",