saveourtool · petertrr · Sep 19, 2022 · Sep 19, 2022 · Apr 3, 2023 · Apr 5, 2023
diff --git a/save-cloud-charts/save-cloud/templates/save-agent-network-policy.yaml b/save-cloud-charts/save-cloud/templates/save-agent-network-policy.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  namespace: save-agent-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      io.kompose.service: save-agent
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              io.kompose.service: orchestrator
+    - to:
+        # https://stackoverflow.com/q/73049535
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            # Forbid private IP ranges effectively allowing only egress to the Internet
+            except:
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "kube-system"
+        - podSelector:
+            matchLabels:
+              k8s-app: "kube-dns"
diff --git a/save-cloud-common/src/jvmMain/kotlin/com/saveourtool/save/entities/Agent.kt b/save-cloud-common/src/jvmMain/kotlin/com/saveourtool/save/entities/Agent.kt
@@ -8,7 +8,8 @@ import javax.persistence.ManyToOne
 /**
  * @property containerId id of the container, inside which the agent is running
  * @property execution id of the execution, which the agent is serving
- * @property version
+ * @property version version of the agent binary
+ * @property isAuthenticated whether this agent has already received a token from orchestrator
  */
 @Entity
 class Agent(
@@ -19,4 +20,6 @@ class Agent(
     var execution: Execution,
 
     var version: String? = null,
+
+    var isAuthenticated: Boolean,
 ) : BaseEntity()
diff --git a/save-deploy/base-images/Dockerfile b/save-deploy/base-images/Dockerfile
@@ -14,9 +14,13 @@ RUN if [ "$BASE_IMAGE_NAME" = "python" ]; then \
     fi
 
 RUN groupadd --gid 1100 save-agent && \
+    groupadd --gid 1200 save-executor && \
     useradd --uid 1100 --gid 1100 --create-home --shell /bin/sh save-agent && \
+    useradd --uid 1200 --gid 1100 --create-home --shell /bin/sh save-agent && \
+    usermod -aG save-executor save-agent && \
     # `WORKDIR` directive creates the directory as `root` user unless the directory already exists
     mkdir /home/save-agent/save-execution && \
-    chown -R 1100:1100 /home/save-agent/save-execution
+    chown -R 1100:1100 /home/save-agent/save-execution && \
+    echo 'save-agent ALL = (save-executor) ALL' >> /etc/sudoers
 USER save-agent
 WORKDIR /home/save-agent/save-execution
diff --git a/...strator/src/main/kotlin/com/saveourtool/save/orchestrator/kubernetes/KubernetesManager.kt b/...strator/src/main/kotlin/com/saveourtool/save/orchestrator/kubernetes/KubernetesManager.kt
@@ -74,6 +74,8 @@ class KubernetesManager(
                         }
                         // If agent fails, we should handle it manually (update statuses, attempt restart etc.)
                         restartPolicy = "Never"
+                        // save-agent pods shouldn't have access to valid cluster tokens
+                        automountServiceAccountToken = false
                         containers = listOf(
                             agentContainerSpec(baseImageTag, agentRunCmd, workingDir, configuration.env)
                         )