Commit c7117f28 authored by Horatiu Eugen Vlad's avatar Horatiu Eugen Vlad
Browse files

Add kubernetes runners allowPrivilegeEscalation security context configuration

parent 3f96fcfc
......@@ -211,6 +211,7 @@ type KubernetesConfig struct {
Namespace string `toml:"namespace" json:"namespace" long:"namespace" env:"KUBERNETES_NAMESPACE" description:"Namespace to run Kubernetes jobs in"`
NamespaceOverwriteAllowed string `toml:"namespace_overwrite_allowed" json:"namespace_overwrite_allowed" long:"namespace_overwrite_allowed" env:"KUBERNETES_NAMESPACE_OVERWRITE_ALLOWED" description:"Regex to validate 'KUBERNETES_NAMESPACE_OVERWRITE' value"`
Privileged bool `toml:"privileged,omitzero" json:"privileged" long:"privileged" env:"KUBERNETES_PRIVILEGED" description:"Run all containers with the privileged flag enabled"`
AllowPrivilegeEscalation bool `toml:"allow_privilege_escalation,omitzero" json:"allow_privilege_escalation" long:"allow-privilege-escalation" env:"KUBERNETES_ALLOW_PRIVILEGE_ESCALATION" description:"Run all containers with the security context allowPrivilegeEscalation flag enabled"`
CPULimit string `toml:"cpu_limit,omitempty" json:"cpu_limit" long:"cpu-limit" env:"KUBERNETES_CPU_LIMIT" description:"The CPU allocation given to build containers"`
CPULimitOverwriteMaxAllowed string `toml:"cpu_limit_overwrite_max_allowed,omitempty" json:"cpu_limit_overwrite_max_allowed" long:"cpu-limit-overwrite-max-allowed" env:"KUBERNETES_CPU_LIMIT_OVERWRITE_MAX_ALLOWED" description:"If set, the max amount the cpu limit can be set to. Used with the KUBERNETES_CPU_LIMIT variable in the build."`
CPURequest string `toml:"cpu_request,omitempty" json:"cpu_request" long:"cpu-request" env:"KUBERNETES_CPU_REQUEST" description:"The CPU allocation requested for build containers"`
......
......@@ -799,6 +799,7 @@ See [Kubernetes executor](../executors/kubernetes.md) for additional parameters.
| `image` | string | Default Docker image to use for builds when none is specified |
| `namespace` | string | Namespace to run Kubernetes jobs in |
| `privileged` | boolean | Run all containers with the privileged flag enabled |
| `allow_privilege_escalation` | boolean | Run all containers with the `allowPrivilegeEscalation` flag enabled |
| `node_selector` | table | A `table` of `key=value` pairs of `string=string`. Setting this limits the creation of pods to Kubernetes nodes matching all the `key=value` pairs |
| `image_pull_secrets` | array | A list of secrets that are used to authenticate Docker image pulling |
......@@ -812,6 +813,7 @@ Example:
ca_file = "/etc/ssl/kubernetes/ca.crt"
image = "golang:1.8"
privileged = true
allow_privilege_escalation = true
image_pull_secrets = ["docker-registry-credentials"]
[runners.kubernetes.node_selector]
gitlab = "true"
......
......@@ -68,6 +68,7 @@ The following keywords help to define the behavior of the Runner within Kubernet
the namespace overwrite environment variable (documented below). When empty,
it disables the namespace overwrite feature
- `privileged`: Run containers with the privileged flag
- `allow_privilege_escalation`: Run all containers with the `allowPrivilegeEscalation` flag enabled.
- `cpu_limit`: The CPU allocation given to build containers
- `cpu_limit_overwrite_max_allowed`: The max amount the CPU allocation can be written to for build containers. When empty, it disables the cpu limit overwrite feature
- `memory_limit`: The amount of memory allocated to build containers
......
......@@ -471,6 +471,7 @@ func (s *executor) buildContainer(
containerCommand ...string,
) api.Container {
privileged := false
allowPrivilegeEscalation := false
containerPorts := make([]api.ContainerPort, len(imageDefinition.Ports))
proxyPorts := make([]proxy.Port, len(imageDefinition.Ports))
......@@ -494,6 +495,7 @@ func (s *executor) buildContainer(
if s.Config.Kubernetes != nil {
privileged = s.Config.Kubernetes.Privileged
allowPrivilegeEscalation = s.Config.Kubernetes.AllowPrivilegeEscalation
}
command, args := s.getCommandAndArgs(imageDefinition, containerCommand...)
......@@ -512,7 +514,8 @@ func (s *executor) buildContainer(
Ports: containerPorts,
VolumeMounts: s.getVolumeMounts(),
SecurityContext: &api.SecurityContext{
Privileged: &privileged,
Privileged: &privileged,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
Capabilities: getCapabilities(
GetDefaultCapDrop(),
s.Config.Kubernetes.CapAdd,
......
......@@ -1818,6 +1818,67 @@ func TestSetupBuildPod(t *testing.T) {
assert.Equal(t, secrets, pod.Spec.ImagePullSecrets)
},
},
"uses default security context flags for containers": {
RunnerConfig: common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Kubernetes: &common.KubernetesConfig{
Namespace: "default",
},
},
},
VerifyFn: func(t *testing.T, test setupBuildPodTestDef, pod *api.Pod) {
for _, c := range pod.Spec.Containers {
assert.Empty(
t,
c.SecurityContext.Privileged,
"Container security context Privileged should be empty",
)
assert.Empty(
t,
c.SecurityContext.AllowPrivilegeEscalation,
"Container security context AllowPrivilegeEscalation should be empty",
)
}
},
},
"configures security context flags for un-privileged containers": {
RunnerConfig: common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Kubernetes: &common.KubernetesConfig{
Namespace: "default",
Privileged: false,
AllowPrivilegeEscalation: false,
},
},
},
VerifyFn: func(t *testing.T, test setupBuildPodTestDef, pod *api.Pod) {
for _, c := range pod.Spec.Containers {
require.NotNil(t, c.SecurityContext.Privileged)
assert.False(t, *c.SecurityContext.Privileged)
require.NotNil(t, c.SecurityContext.AllowPrivilegeEscalation)
assert.False(t, *c.SecurityContext.AllowPrivilegeEscalation)
}
},
},
"configures security context flags for privileged containers": {
RunnerConfig: common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
Kubernetes: &common.KubernetesConfig{
Namespace: "default",
Privileged: true,
AllowPrivilegeEscalation: true,
},
},
},
VerifyFn: func(t *testing.T, test setupBuildPodTestDef, pod *api.Pod) {
for _, c := range pod.Spec.Containers {
require.NotNil(t, c.SecurityContext.Privileged)
assert.True(t, *c.SecurityContext.Privileged)
require.NotNil(t, c.SecurityContext.AllowPrivilegeEscalation)
assert.True(t, *c.SecurityContext.AllowPrivilegeEscalation)
}
},
},
"configures helper container": {
RunnerConfig: common.RunnerConfig{
RunnerSettings: common.RunnerSettings{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment