Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update triggers default configmap for runAsUser and runAsGroup to handle restricted securityContext for Triggers #2125

Merged
merged 1 commit into from
Jul 9, 2024
Merged

Update triggers default configmap for runAsUser and runAsGroup to handle restricted securityContext for Triggers #2125

merged 1 commit into from
Jul 9, 2024

Conversation

savitaashture
Copy link
Contributor

@savitaashture savitaashture commented Apr 23, 2024
edited
Loading

Context:

As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.17.
Once this becomes the default setting, existing Triggers functionality may break.
This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC) doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default because by default triggers set runAsUser and runAsGroup` to 65532.

So Updated Triggers only to accept values for runAsUser and runAsGroupthrough CM and using Operator we are setting to""` so that Openshift can set those random values.

Tested below scenarios:

1 set security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce=restricted --overwrite=true)

  • No seccompProfiles: runtime/default to pipelines-scc
    and Created EL, POD is up and running 
    securityContext:
 allowPrivilegeEscalation: false
 capabilities:
   drop:
   - ALL
 runAsNonRoot: true
 runAsUser: 1000730000
 seccompProfile:
   type: RuntimeDefault

2 remove security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce-)

  • No seccompProfiles: runtime/default to pipelines-scc
    and Created EL, POD is up and running 
    securityContext:
 allowPrivilegeEscalation: false
 capabilities:
   drop:
   - ALL
 runAsNonRoot: true
 runAsUser: 1000710000
 seccompProfile:
   type: RuntimeDefault

Fixes : https://issues.redhat.com/browse/SRVKP-4372

Signed-off-by: Savita Ashture sashture@redhat.com

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Apr 23, 2024
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 23, 2024
@savitaashture
Copy link
Contributor Author

@tektoncd/operator-maintainers Will bring this issue in WG call also wanted to talk set-security-context related to Pipeline

@savitaashture
Copy link
Contributor Author

@piyush-garg
I have verified the question which you bought during WG call

When el-security-context is true
EL pod have below securityContext

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
        - MKNOD
      runAsGroup: 65532
      runAsNonRoot: true
      runAsUser: 65532
      seccompProfile:
        type: RuntimeDefault
    terminationMessagePath: /dev/termination-log

And pod is up and running with those securityContext values

$ kubectl get pods 
NAME                                  READY   STATUS      RESTARTS   AGE
el-github-listener-7ff9675c4d-jpctb   1/1     Running     0          41s
github-run-fhggv-pod                  0/1     Completed   0          74m

I could even send the requests

curl -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=ba0cdc263b3492a74b601d240c27efe81c4720cb' -H 'Content-Type: application/json' -d '{"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git"}}' http://localhost:8080

The taskrun created

$ kubectl get pods 
NAME                                  READY   STATUS      RESTARTS   AGE
el-github-listener-7ff9675c4d-jpctb   1/1     Running     0          62s
github-run-fhggv-pod                  0/1     Completed   0          74m
github-run-k55bm-pod                  1/1     Running     0          4s

@savitaashture
Copy link
Contributor Author

cc @khrm

@savitaashture savitaashture changed the title [WIP] Update scc to add seccompProfiles to handle restricted securityContext Update scc to add seccompProfiles to handle restricted securityContext for Triggers Apr 30, 2024
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 30, 2024
khrm
khrm reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test this with OpenShift <=4.15?

@savitaashture
Copy link
Contributor Author

Did you test this with OpenShift <=4.15?

Yes

khrm
khrm reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
@jkandasa

jkandasa
jkandasa approved these changes May 7, 2024
View reviewed changes
Copy link
Member

@jkandasa jkandasa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @piyush-garg

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 7, 2024
@jkandasa
Copy link
Member

jkandasa commented May 7, 2024

@savitaashture Please update the release notes

@piyush-garg
Copy link
Contributor

i dont know how 65532 is working on openshift, and thing which used to work before is not working now. I need to disucss this more

@savitaashture
Copy link
Contributor Author

savitaashture commented May 7, 2024
edited
Loading

i dont know how 65532 is working on openshift, and thing which used to work before is not working now. I need to disucss this more

Sure @piyush-garg
should we discuss in Operator WG ? or we can schedule adhoc call and discuss as Operator call is on Thursday which is very late

@piyush-garg
Copy link
Contributor

piyush-garg commented May 7, 2024
edited
Loading

i dont know how 65532 is working on openshift, and thing which used to work before is not working now. I need to disucss this more

Sure @piyush-garg should we discuss in Operator WG ? or we can schedule adhoc call and discuss as Operator call is on Thursday which is very late

Lets setup a adhoc call and try few things which i have in mind, i think it should work fine with the original flag

@savitaashture savitaashture changed the title Update scc to add seccompProfiles to handle restricted securityContext for Triggers [WIP] Update scc to add seccompProfiles to handle restricted securityContext for Triggers May 8, 2024
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 8, 2024
@savitaashture
Copy link
Contributor Author

When el-security-context set to true

 securityContext:
            allowPrivilegeEscalation: false
            # User 65532 is the distroless nonroot user ID
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            capabilities:
              drop:
                - "ALL"
            seccompProfile:
              type: RuntimeDefault

all above things will be set but 65532 is not within the OpenShift range.

Therefore, I need to try out a couple of things by making changes in triggers and operators.
As a result, we'll be holding this PR for now, and it won't be included in the 1.15 OSP release.

@tekton-robot tekton-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 8, 2024
@savitaashture savitaashture changed the title [WIP] Update scc to add seccompProfiles to handle restricted securityContext for Triggers Update scc to add seccompProfiles to handle restricted securityContext for Triggers Jul 8, 2024
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 8, 2024
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 46.3% -40.6

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 8, 2024
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

@savitaashture
Copy link
Contributor Author

please squash the commit into one

squashed

@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

@savitaashture
Copy link
Contributor Author

@jkandasa @piyush-garg addressed all the review comments
PTAL
Thank you

jkandasa
jkandasa approved these changes Jul 8, 2024
View reviewed changes
Copy link
Member

@jkandasa jkandasa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @savitaashture LGTM
cc @piyush-garg

@tekton-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkandasa, khrm, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jkandasa,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

piyush-garg
piyush-garg reviewed Jul 9, 2024
View reviewed changes
pkg/apis/operator/v1alpha1/tektontrigger_types.go Outdated
@@ -92,5 +92,7 @@ type TriggersProperties struct {
// OptionalTriggersProperties defines the fields which are to be
// defined for triggers only if user pass them
type OptionalTriggersProperties struct {
DefaultServiceAccount string `json:"default-service-account,omitempty"`
DefaultServiceAccount string `json:"default-service-account,omitempty"`
DefaultRunAsUser *string `json:"default-run-as-user,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should not add it here, its a configmap thing and it can be done through options.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have already stopped adding more configs

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@savitaashture ah I just notice, it is applicable for kubernets too.
Will it work without runAsUser and runAsGroup in kubernetes?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should not add it in spec

we just remove those two values in openshift profile only

user should be able to configure through options in both profile

Copy link
Contributor Author

@savitaashture savitaashture Jul 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay
got it
then in that case i want to set default value as "" for both runAsUser and runAsGroup should i add under Options of Triggers 🤔

user should be able to configure through options in both profile

right but to set default values what is the best way in Operator
Is it through adding under options in tektonConfig ?
I mean shall i add default values here https://github.com/tektoncd/operator/blob/main/config/crs/openshift/config/all/operator_v1alpha1_config_cr.yaml directly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just call the tranformer in openshift extension to set the default value

@tekton-robot tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 9, 2024
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

piyush-garg
piyush-garg reviewed Jul 9, 2024
View reviewed changes
pkg/reconciler/openshift/tektontrigger/extension.go Outdated
// Updating the default values of runAsUser and runAsGroup to an empty string
// to ensure compatibility with OpenShift's requirements for managing these settings
// in Triggers Eventlistener containers SCC.
type triggersProperties struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we define the struct out of this function

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved out of the function

piyush-garg
piyush-garg reviewed Jul 9, 2024
View reviewed changes
pkg/reconciler/openshift/tektontrigger/extension.go Outdated
DefaultRunAsUser *string `json:"default-run-as-user,omitempty"`
DefaultRunAsGroup *string `json:"default-run-as-group,omitempty"`
}
triggersData := triggersProperties{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can also be defined like a constant outside

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated a bit please check now

@savitaashture savitaashture force-pushed the fix_scc_when_restricted branch 2 times, most recently from 5f27bc5 to 3d3dd91 Compare July 9, 2024 12:09
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

@savitaashture
Add function to clear the runAsGroup and runAsUser values in the defa…
8bba2da 
…ult cm for triggers to handle restricted securityContext

Context:

As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.16.
Once this becomes the default setting, existing Triggers functionality may break.
This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC)
doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default.
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/openshift/tektontrigger/transformers.go 87.0% 82.6% -4.3

@piyush-garg
Copy link
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2024
@tekton-robot tekton-robot merged commit 23fb02a into tektoncd:main Jul 9, 2024
7 of 8 checks passed
@savitaashture savitaashture mentioned this pull request Aug 19, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piyush-garg piyush-garg piyush-garg left review comments

@jkandasa jkandasa jkandasa approved these changes

@khrm khrm khrm left review comments

@vdemeester vdemeester vdemeester approved these changes

@PuneetPunamiya PuneetPunamiya Awaiting requested review from PuneetPunamiya

Assignees

@piyush-garg piyush-garg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@savitaashture @jkandasa @piyush-garg @tekton-robot @vdemeester @khrm