Skip to content

Commit

Permalink
fix(manager): avoid privilege escalation
Browse files Browse the repository at this point in the history
  • Loading branch information
@wirespecter @tiborsimko
wirespecter authored and tiborsimko committed Nov 18, 2024
1 parent 72f896e commit ef7ff72
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
4 changes: 3 additions & 1 deletion reana_workflow_controller/k8s.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,9 @@ def add_environment_variable(self, name, value):

def add_run_with_root_permissions(self):
"""Run interactive session with root."""
security_context = client.V1SecurityContext(run_as_user=0)
security_context = client.V1SecurityContext(
run_as_user=0, allow_privilege_escalation=False
)
self._session_container.security_context = security_context

def add_user_secrets(self):
Expand Down
1 change: 1 addition & 0 deletions reana_workflow_controller/workflow_run_manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ def _create_job_spec(
workflow_engine_container.security_context = client.V1SecurityContext(
run_as_group=WORKFLOW_RUNTIME_USER_GID,
run_as_user=WORKFLOW_RUNTIME_USER_UID,
allow_privilege_escalation=False,
)
workflow_engine_container.volume_mounts = [workspace_mount]

Expand Down

0 comments on commit ef7ff72

Please sign in to comment.