Commit d9a24e69 authored by Horatiu Eugen Vlad's avatar Horatiu Eugen Vlad

Make flag `allowPrivilegeEscalation` optional.

Run all containers with the `allowPrivilegeEscalation` flag enabled. When empty, it does not define the `allowPrivilegeEscalation` flag in the container `SecurityContext` and allows Kubernetes to use the default [privilege escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation) behavior.
parent c7117f28
......@@ -211,7 +211,7 @@ type KubernetesConfig struct {
Namespace string `toml:"namespace" json:"namespace" long:"namespace" env:"KUBERNETES_NAMESPACE" description:"Namespace to run Kubernetes jobs in"`
NamespaceOverwriteAllowed string `toml:"namespace_overwrite_allowed" json:"namespace_overwrite_allowed" long:"namespace_overwrite_allowed" env:"KUBERNETES_NAMESPACE_OVERWRITE_ALLOWED" description:"Regex to validate 'KUBERNETES_NAMESPACE_OVERWRITE' value"`
Privileged bool `toml:"privileged,omitzero" json:"privileged" long:"privileged" env:"KUBERNETES_PRIVILEGED" description:"Run all containers with the privileged flag enabled"`
AllowPrivilegeEscalation bool `toml:"allow_privilege_escalation,omitzero" json:"allow_privilege_escalation" long:"allow-privilege-escalation" env:"KUBERNETES_ALLOW_PRIVILEGE_ESCALATION" description:"Run all containers with the security context allowPrivilegeEscalation flag enabled"`
AllowPrivilegeEscalation *bool `toml:"allow_privilege_escalation,omitzero" json:"allow_privilege_escalation" long:"allow-privilege-escalation" env:"KUBERNETES_ALLOW_PRIVILEGE_ESCALATION" description:"Run all containers with the security context allowPrivilegeEscalation flag enabled. When empty, it does not define the allowPrivilegeEscalation flag in the container SecurityContext and allows Kubernetes to use the default privilege escalation behavior."`
CPULimit string `toml:"cpu_limit,omitempty" json:"cpu_limit" long:"cpu-limit" env:"KUBERNETES_CPU_LIMIT" description:"The CPU allocation given to build containers"`
CPULimitOverwriteMaxAllowed string `toml:"cpu_limit_overwrite_max_allowed,omitempty" json:"cpu_limit_overwrite_max_allowed" long:"cpu-limit-overwrite-max-allowed" env:"KUBERNETES_CPU_LIMIT_OVERWRITE_MAX_ALLOWED" description:"If set, the max amount the cpu limit can be set to. Used with the KUBERNETES_CPU_LIMIT variable in the build."`
CPURequest string `toml:"cpu_request,omitempty" json:"cpu_request" long:"cpu-request" env:"KUBERNETES_CPU_REQUEST" description:"The CPU allocation requested for build containers"`
......
......@@ -799,7 +799,7 @@ See [Kubernetes executor](../executors/kubernetes.md) for additional parameters.
| `image` | string | Default Docker image to use for builds when none is specified |
| `namespace` | string | Namespace to run Kubernetes jobs in |
| `privileged` | boolean | Run all containers with the privileged flag enabled |
| `allow_privilege_escalation` | boolean | Run all containers with the `allowPrivilegeEscalation` flag enabled |
| `allow_privilege_escalation` | boolean | Optional runs all containers with the `allowPrivilegeEscalation` flag enabled |
| `node_selector` | table | A `table` of `key=value` pairs of `string=string`. Setting this limits the creation of pods to Kubernetes nodes matching all the `key=value` pairs |
| `image_pull_secrets` | array | A list of secrets that are used to authenticate Docker image pulling |
......
......@@ -68,7 +68,7 @@ The following keywords help to define the behavior of the Runner within Kubernet
the namespace overwrite environment variable (documented below). When empty,
it disables the namespace overwrite feature
- `privileged`: Run containers with the privileged flag
- `allow_privilege_escalation`: Run all containers with the `allowPrivilegeEscalation` flag enabled.
- `allow_privilege_escalation`: Run all containers with the `allowPrivilegeEscalation` flag enabled. When empty, it does not define the `allowPrivilegeEscalation` flag in the container `SecurityContext` and allows Kubernetes to use the default [privilege escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation) behavior.
- `cpu_limit`: The CPU allocation given to build containers
- `cpu_limit_overwrite_max_allowed`: The max amount the CPU allocation can be written to for build containers. When empty, it disables the cpu limit overwrite feature
- `memory_limit`: The amount of memory allocated to build containers
......
......@@ -471,7 +471,7 @@ func (s *executor) buildContainer(
containerCommand ...string,
) api.Container {
privileged := false
allowPrivilegeEscalation := false
var allowPrivilegeEscalation *bool
containerPorts := make([]api.ContainerPort, len(imageDefinition.Ports))
proxyPorts := make([]proxy.Port, len(imageDefinition.Ports))
......@@ -515,7 +515,7 @@ func (s *executor) buildContainer(
VolumeMounts: s.getVolumeMounts(),
SecurityContext: &api.SecurityContext{
Privileged: &privileged,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
AllowPrivilegeEscalation: allowPrivilegeEscalation,
Capabilities: getCapabilities(
GetDefaultCapDrop(),
s.Config.Kubernetes.CapAdd,
......
......@@ -1833,7 +1833,7 @@ func TestSetupBuildPod(t *testing.T) {
c.SecurityContext.Privileged,
"Container security context Privileged should be empty",
)
assert.Empty(
assert.Nil(
t,
c.SecurityContext.AllowPrivilegeEscalation,
"Container security context AllowPrivilegeEscalation should be empty",
......@@ -1847,7 +1847,7 @@ func TestSetupBuildPod(t *testing.T) {
Kubernetes: &common.KubernetesConfig{
Namespace: "default",
Privileged: false,
AllowPrivilegeEscalation: false,
AllowPrivilegeEscalation: func(b bool) *bool { return &b }(false),
},
},
},
......@@ -1866,7 +1866,7 @@ func TestSetupBuildPod(t *testing.T) {
Kubernetes: &common.KubernetesConfig{
Namespace: "default",
Privileged: true,
AllowPrivilegeEscalation: true,
AllowPrivilegeEscalation: func(b bool) *bool { return &b }(true),
},
},
},
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment