-
-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Woodpecker 2.4 breaks privileged steps/plugins with Kubernetes backend #3537
Comments
Comment is almost useless, but...
privileged: true
backend_options:
kubernetes:
securityContext:
privileged: true Edit 1. if sc != nil && sc.Privileged != nil && *sc.Privileged {
privileged = sc.Privileged // true
} else if stepPrivileged {
privileged = &stepPrivileged // true
} before #3482 |
You are correct. I actually meant version 2.4, I linked the comment as I suspect this commit might be the cause. For me it did not work to set privileged only on pipeline level. |
Seems, it sets up
Backend option was checked firstly. If was not set, step-level option was checked (was set by trusted plugin logic) => security context was set.
Now, it is cc @anbraten Related #3511 |
Haven't had a closer look into this issue yet, but it could definitely be related to #3482. We changed the logic in there as we got security request checking this area again as it seemed to be possible to run privileged pods in Kubernetes. |
Then ideally, all checks on pipeline's |
I understand the motivation, please don’t get the following feedback wrong: I am in the situation to prepare an elaborated lab setup for 30+ participants and choose woodpecker for a number of reasons over drone. During rehearsal this change caught me unprepared and lead to quite some anxiety and stress as I had to pinpoint the problem after everything broke and I had to question wether I did something wrong or had undocumented steps. On the implementation: Perhaps it would make sense to distinguish between trusted (volumes) and privileged repositories? Just a thought. |
Understandable.
Perhaps you meant this ⬇️ At least it should be better worded. Mounting the volumes is not the main purpose of it, to me.
Yeah...
And mentioned list of trusted plugins, seems. Maybe, there combined flag already exists: trusted repository or trusted plugin. |
Regarding the repo setting: Thanks, I was aware of the 'trusted' setting. What I wanted to bring up as a possible improvement was to have two settings: One for 'allow volumes' and a different one for 'allow privileged containers'. I always though that mixing these aspects felt a little off as I much more often want to allow volumes than priviliged containers. Kubernetes differentiates these aspects as well. |
IMHO, this might be a somewhat more ideal model:
And to achieve such model (not familiar with implementation detail so I'll go with Javascript-like pseudo code): function getSecurityContext(repo, plugin, step) {
function _getSecurityContext(plugin, step) {
if (plugin.trusted) {
return [step.privileged ?? plugin.privileged, {...plugin.securityContext, ...step.securityContext}]
} else {
return [step.privileged, {privileged: step.privileged, ...step.securityContext}]
}
}
function _validateSecurityContext(repo, privileged, securityContext) {
if (!repo.trusted && privileged) {
throw new ValidationError("Cannot run a privileged step in an untrusted repository")
}
if (!privileged && (securityContext.privileged || securityContext.runAsUser === 0 || securityContext.runAsGroup === 0) {
throw new ValidationError("Cannot elevate a Pod in an unprivileged step")
}
}
const [privileged, securityContext] = _getSecurityContext(plugin, step)
_validateSecurityContext(repo, privileged, securityContext)
return [privileged ?? false, securityContext]
} |
I like the general idea. The other aspect is about volumes: I would like to be able to mount a volume but not elevate the privileges automatically. They are different aspects anyway, but if a step is privileged, volumes could be included. So something like trust levels (ux: slider?) might be worth thinking about. Repository trust: "none", "volumes", "privileged" |
We also have to support this for other backends and as for example docker would allow mounting the docker.sock again, you could reach root access by using volumes. #2272 might be an option. |
Valid point, how about mounting predefined volumes only? Docker supports named volumes as well. Temporary volumes for a single instance of a workflow feels a little short lived to me. (I have a kaniko volume for base images that I would like to preserve across multiple invocations of a workflow.) |
If you can set
It is controlled by some logic, that sets up step-level privileged flag in core. Should work. |
Because I feel like the Much like “hey I just want to give some of you the privileges to do whatever you want, but you can always deny if you don’t like it”. |
That is what trusted repo for.
But that is exactly how it was implemented and it is now. When I implemented security context, I added just yet another source of this field. If you look in kube docs, The --privileged flag gives all capabilities to the container. All capabilities. The same with Kubernetes. If you want to change semantics of the pipeline's (whether step's or backend option) The same with volumes stuff, I think. When issue is closed, everflux's proposal will get lost.
Try pull through cache. |
Did some testing and think #3711 should recover the expected behavior. |
This worked with WP 2.3 and Kubernetes backend:
Using WP 2.4 the docker daemon does not start.
Debugging the Pod manifest I see an empty security context and the docker daemon does not start.
This works with WP 2.4.1 but is not so user friendly:
See also: #3482 (comment)_
The text was updated successfully, but these errors were encountered: