From 41e6d1f58b7bea4717301c60f8be6b80cd6615e3 Mon Sep 17 00:00:00 2001 From: Stavros Date: Wed, 14 Aug 2024 14:10:55 +0200 Subject: [PATCH] fix(execute): avoid privilege escalation in Kubernetes jobs (#475) Configure the security context of Kubernetes jobs to disallow privilege escalation. --- reana_job_controller/kubernetes_job_manager.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/reana_job_controller/kubernetes_job_manager.py b/reana_job_controller/kubernetes_job_manager.py index 87f69c69..b20aa7a9 100644 --- a/reana_job_controller/kubernetes_job_manager.py +++ b/reana_job_controller/kubernetes_job_manager.py @@ -1,5 +1,5 @@ # This file is part of REANA. -# Copyright (C) 2019, 2020, 2021, 2022, 2023 CERN. +# Copyright (C) 2019, 2020, 2021, 2022, 2023, 2024 CERN. # # REANA is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. @@ -167,6 +167,7 @@ def execute(self): "name": "job", "env": [], "volumeMounts": [], + "securityContext": {"allowPrivilegeEscalation": False}, } ], "initContainers": [],