mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-10-23 02:23:53 +00:00
Code Issues Projects Releases Wiki Activity

set via SecurityContextConfig

Browse source
This commit is contained in:
pat-s 2024-10-02 17:46:57 +02:00
parent ea366e9e89
commit 8a1c2a0c84
No known key found for this signature in database
GPG key ID: 3C6318841EF78925
2 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
pipeline/backend/kubernetes/kubernetes.go
View file

@ -44,6 +44,7 @@ const (
EngineName = "kubernetes"
// TODO: 5 seconds is against best practice, k3s didn't work otherwise
defaultResyncDuration = 5 * time.Second
efaultFSGroup int64 = 1000
)
var defaultDeleteOptions = newDefaultDeleteOptions()
@ -70,6 +71,7 @@ type config struct {
}
type SecurityContextConfig struct {
RunAsNonRoot bool
FSGroup *int64
}
func newDefaultDeleteOptions() meta_v1.DeleteOptions {
@ -98,6 +100,7 @@ func configFromCliContext(ctx context.Context) (*config, error) {
ImagePullSecretNames: c.StringSlice("backend-k8s-pod-image-pull-secret-names"),
SecurityContext: SecurityContextConfig{
RunAsNonRoot: c.Bool("backend-k8s-secctx-nonroot"), // cspell:words secctx nonroot
FSGroup: newInt64(defaultFSGroup),
},
NativeSecretsAllowFromStep: c.Bool("backend-k8s-allow-native-secrets"),
}

13
pipeline/backend/kubernetes/pod.go
View file

@ -390,6 +390,9 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
if secCtxConf.RunAsNonRoot {
nonRoot = newBool(true)
}
if secCtxConf.FSGroup != nil {
fsGroup = secCtxConf.FSGroup
}
if sc != nil {
// only allow to set user if its not root or step is privileged
@ -407,6 +410,11 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
fsGroup = sc.FSGroup
}
// if unset, set fsGroup to 1000 by default to support non-root images
if sc.FSGroup != nil {
fsGroup = sc.FSGroup
}
// only allow to set nonRoot if it's not set globally already
if nonRoot == nil && sc.RunAsNonRoot != nil {
nonRoot = sc.RunAsNonRoot
@ -416,11 +424,6 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
apparmor = apparmorProfile(sc.ApparmorProfile)
}
// if unset, set fsGroup to 1000 by default to support non-root images
if sc.FSGroup == nil {
fsGroup = newInt64(defaultFSGroup)
}
if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil {
return nil
}