Skip to content

Commit

Permalink
fix(manager): avoid privilege escalation in Kubernetes jobs (reanahub…
Browse files Browse the repository at this point in the history
…#615)

Configure the security context of workflow orchestrator jobs to disallow
privilege escalation.
  • Loading branch information
wirespecter authored and mdonadoni committed Nov 22, 2024
1 parent cf4ee73 commit 24563e5
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
4 changes: 3 additions & 1 deletion reana_workflow_controller/k8s.py
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,9 @@ def add_environment_variable(self, name, value):

def add_run_with_root_permissions(self):
"""Run interactive session with root."""
security_context = client.V1SecurityContext(run_as_user=0)
security_context = client.V1SecurityContext(
run_as_user=0, allow_privilege_escalation=False
)
self._session_container.security_context = security_context

def add_user_secrets(self):
Expand Down
1 change: 1 addition & 0 deletions reana_workflow_controller/workflow_run_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ def _create_job_spec(
workflow_engine_container.security_context = client.V1SecurityContext(
run_as_group=WORKFLOW_RUNTIME_USER_GID,
run_as_user=WORKFLOW_RUNTIME_USER_UID,
allow_privilege_escalation=False,
)
workflow_engine_container.volume_mounts = [workspace_mount]

Expand Down

0 comments on commit 24563e5

Please sign in to comment.