Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(executor): Support accessing output parameters by PNS executor running as non-root #5564

Merged
merged 23 commits into from
Apr 7, 2021
Merged

feat(executor): Support accessing output parameters by PNS executor running as non-root #5564

merged 23 commits into from
Apr 7, 2021

Conversation

vladlosev
Copy link
Contributor

@vladlosev vladlosev commented Mar 31, 2021
edited
Loading

The Argo PNS executor requires the SYS_CHROOT and the SYS_PTRACE capabilities for access to the workflow output parameters when they are saved inside the image. When it is run as a root, those capabilities are available to it immediately because they are added by the workflow controller to the container's security context. But when it's run as a non-root user, the capabilities are available in the process's inherited capability set but neither in its effective nor permitted sets. Thus, a chroot attempt in such mode currently fails. This PR adds the requisite capability bits to the argoexec binary in the container, which allows the executor process to gain these capabilities when launched, and use those syscalls successfully.

Checklist:

@codecov
Copy link

codecov bot commented Mar 31, 2021
edited
Loading

Codecov Report

Merging #5564 (55c4f17) into master (c941ef8) will increase coverage by 0.07%.
The diff coverage is n/a.

❗ Current head 55c4f17 differs from pull request most recent head 6e9d70c. Consider uploading reports for the commit 6e9d70c to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##           master    #5564      +/-   ##
==========================================
+ Coverage   47.00%   47.08%   +0.07%     
==========================================
  Files         240      240              
  Lines       15002    15002              
==========================================
+ Hits         7052     7064      +12     
+ Misses       7053     7039      -14     
- Partials      897      899       +2
Impacted Files Coverage Δ
cmd/argo/commands/get.go 57.33% <0.00%> (+0.66%) ⬆️
server/workflow/workflow_server.go 42.73% <0.00%> (+2.27%) ⬆️
workflow/metrics/server.go 16.66% <0.00%> (+4.16%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c941ef8...6e9d70c. Read the comment docs.

@vladlosev vladlosev force-pushed the fix-enable-run-as-non-root branch from 970763f to 84b2fb9 Compare March 31, 2021 19:30
@vladlosev vladlosev changed the title feat(argo-workflows): Add support for running feat: Add support for accessing workflow artiacts by PNS executor running as non-root. Mar 31, 2021
@vladlosev vladlosev changed the title feat: Add support for accessing workflow artiacts by PNS executor running as non-root. feat: Support accessing workflow artiacts by PNS executor running as non-root. Mar 31, 2021
@vladlosev vladlosev force-pushed the fix-enable-run-as-non-root branch from 84b2fb9 to 9d98c38 Compare March 31, 2021 20:38
@vladlosev vladlosev changed the title feat: Support accessing workflow artiacts by PNS executor running as non-root. feat: Support accessing output parameters by PNS executor running as non-root. Mar 31, 2021
@vladlosev vladlosev force-pushed the fix-enable-run-as-non-root branch from 9d98c38 to b506435 Compare March 31, 2021 21:00
alexec
alexec reviewed Mar 31, 2021
View reviewed changes
Copy link
Contributor

@alexec alexec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a powerful PR

@vladlosev vladlosev force-pushed the fix-enable-run-as-non-root branch 3 times, most recently from 4d3d2e1 to b6cc892 Compare April 5, 2021 04:18
vladlosev added 19 commits April 4, 2021 21:19
@vladlosev
feat: Add a test for output parameter access under non-root.
ce90a99 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Force CI run.
11ee44c 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Adds required capability bits to argoexec in the image.
d195880 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Adds the permission bit check.
b9265b9 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Forces Docker image build.
5a926cf 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Adds docker image passing via cache.
4d2cd6c 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Splits off build job
2fc9b7d 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Gives more time to image building.
36bb857 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Fixes key for caching images.
be8e749 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Fixes docker image cache dir.
bf37cbe 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Tests for Docker image caching.
82e6809 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Updates timestamp on image archives to make sure make uses them.
d3d4f15 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Adds test for argoxec capability bits.
86531f9 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Run cap test in Docker image. Doh.
65a8751 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Uses entrypoint for getcap
828efce 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Tries preload Argo images into k3s nodes.
59a037e 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Uses commit specific image tag.
91be537 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Uses specified version for saving images.
23e627a 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Pre-generates the server key.
38cdd81 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
vladlosev added 2 commits April 4, 2021 21:22
@vladlosev
Changes image file extension to .tar.
b0ea2b7 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev
Also updates argoexec-dev image.
7a05cca 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev vladlosev force-pushed the fix-enable-run-as-non-root branch from b6cc892 to 7a05cca Compare April 5, 2021 04:23
@vladlosev
Reverts CI/Makefile changes.
58b9b7c 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@vladlosev vladlosev marked this pull request as ready for review April 5, 2021 16:52
@alexec alexec changed the title feat: Support accessing output parameters by PNS executor running as non-root. feat(executor): Support accessing output parameters by PNS executor running as non-root Apr 5, 2021
alexec
alexec reviewed Apr 5, 2021
View reviewed changes
test/e2e/run_as_not_root_test.go
@@ -23,6 +23,15 @@ func (s *RunAsNonRootSuite) TestRunAsNonRootWorkflow() {
WaitForWorkflow(fixtures.ToBeSucceeded)
}

func (s *RunAsNonRootSuite) TestRunAsNonRootWithOutputParams() {
s.Need(fixtures.None(fixtures.Docker, fixtures.K8SAPI, fixtures.Kubelet))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor - do you want to include emissary in your test? instead maybe just

s.Need(fixtures.PNS)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test passes under emissary, and it is a valid use case (I can attest to that!) so I think we want to keep it for emissary to ensure there are no regressions in the future. That is unless you have reasons to explicitly not support this use case for emissary. Please let me know if that's the case and I will drop it for emissary.

test/e2e/smoke/runasnonroot-output-params.yaml Outdated
@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please append -pipeline.yaml to name

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@vladlosev
Renames test workflow definition file.
6e9d70c 
Signed-off-by: Vlad Losev <vladimir.losev@sage.com>
@alexec alexec merged commit 22a8e93 into argoproj:master Apr 7, 2021
@alexec alexec added this to the v3.1 milestone Apr 7, 2021
@vladlosev vladlosev deleted the fix-enable-run-as-non-root branch April 7, 2021 18:55
@simster7 simster7 mentioned this pull request Apr 19, 2021
Closed
50 tasks
@alexec alexec mentioned this pull request Jun 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexec alexec alexec approved these changes

Assignees

@alexec alexec

Labels
None yet
Projects
None yet
Milestone
v3.1
Development

Successfully merging this pull request may close these issues.
2 participants
@vladlosev @alexec