Make RunAsNonRoot configurable through default configmap

tektoncd · Jul 8, 2024 · 7797f41 · 7797f41
1 parent ba3b162
commit 7797f41
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 2 deletions.
diff --git a/config/config-defaults-triggers.yaml b/config/config-defaults-triggers.yaml
@@ -42,3 +42,4 @@ data:
     default-service-account: "default"
     default-run-as-user: "65532"
     default-run-as-group: "65532"
+    default-run-as-non-root: "true" # allowed values are true and false
diff --git a/pkg/apis/config/default.go b/pkg/apis/config/default.go
@@ -17,7 +17,9 @@ limitations under the License.
 package config
 
 import (
+	"fmt"
 	"os"
+	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
 )
@@ -26,9 +28,11 @@ const (
 	defaultServiceAccountKey   = "default-service-account"
 	defaultRunAsUserKey        = "default-run-as-user"
 	defaultRunAsGroupKey       = "default-run-as-group"
+	defaultRunAsNonRootKey     = "default-run-as-non-root"
 	DefaultServiceAccountValue = "default"
 	defaultRunAsUserValue      = "65532"
 	defaultRunAsGroupValue     = "65532"
+	defaultRunAsNonRootValue   = true
 )
 
 // Defaults holds the default configurations
@@ -37,6 +41,7 @@ type Defaults struct {
 	DefaultServiceAccount string
 	DefaultRunAsUser      string
 	DefaultRunAsGroup     string
+	DefaultRunAsNonRoot   bool
 }
 
 // GetDefaultsConfigName returns the name of the configmap containing all
@@ -60,7 +65,8 @@ func (cfg *Defaults) Equals(other *Defaults) bool {
 
 	return other.DefaultServiceAccount == cfg.DefaultServiceAccount &&
 		other.DefaultRunAsUser == cfg.DefaultRunAsUser &&
-		other.DefaultRunAsGroup == cfg.DefaultRunAsGroup
+		other.DefaultRunAsGroup == cfg.DefaultRunAsGroup &&
+		other.DefaultRunAsNonRoot == cfg.DefaultRunAsNonRoot
 }
 
 // NewDefaultsFromMap returns a Config given a map corresponding to a ConfigMap
@@ -69,6 +75,7 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		DefaultServiceAccount: DefaultServiceAccountValue,
 		DefaultRunAsUser:      defaultRunAsUserValue,
 		DefaultRunAsGroup:     defaultRunAsGroupValue,
+		DefaultRunAsNonRoot:   defaultRunAsNonRootValue,
 	}
 
 	if defaultServiceAccount, ok := cfgMap[defaultServiceAccountKey]; ok {
@@ -83,6 +90,20 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		tc.DefaultRunAsGroup = defaultRunAsGroup
 	}
 
+	if defaultRunAsNonRoot, ok := cfgMap[defaultRunAsNonRootKey]; ok {
+		if defaultRunAsNonRoot != "" {
+			runAsNonRoot, err := strconv.ParseBool(defaultRunAsNonRoot)
+			if err != nil {
+				return nil, fmt.Errorf("failed parsing runAsGroup config %v", defaultRunAsNonRoot)
+			}
+			tc.DefaultRunAsNonRoot = runAsNonRoot
+		} else {
+			// if "" value is provided via configmap set back to default value which is true
+			tc.DefaultRunAsNonRoot = defaultRunAsNonRootValue
+		}
+
+	}
+
 	return &tc, nil
 }
 

diff --git a/pkg/apis/config/default_test.go b/pkg/apis/config/default_test.go
@@ -38,6 +38,7 @@ func TestNewDefaultsFromConfigMap(t *testing.T) {
 				DefaultServiceAccount: "default",
 				DefaultRunAsUser:      "65532",
 				DefaultRunAsGroup:     "65532",
+				DefaultRunAsNonRoot:   true,
 			},
 			fileName: config.GetDefaultsConfigName(),
 		},
@@ -58,6 +59,7 @@ func TestNewDefaultsFromEmptyConfigMap(t *testing.T) {
 		DefaultServiceAccount: "default",
 		DefaultRunAsUser:      "65532",
 		DefaultRunAsGroup:     "65532",
+		DefaultRunAsNonRoot:   true,
 	}
 	verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyName, expectedConfig)
 }
@@ -68,6 +70,7 @@ func TestNewDefaultsFromConfigMapWithEmptyVal(t *testing.T) {
 		DefaultServiceAccount: "default",
 		DefaultRunAsUser:      "",
 		DefaultRunAsGroup:     "",
+		DefaultRunAsNonRoot:   true, // when empty value set from configmap we set back to default value for runAsNonRoot
 	}
 	verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyVal, expectedConfig)
 }

diff --git a/pkg/apis/config/testdata/config-defaults-empty.yaml b/pkg/apis/config/testdata/config-defaults-empty.yaml
@@ -39,3 +39,4 @@ data:
     default-service-accounts: "default"
     default-run-as-user: "65532"
     default-run-as-group: "65532"
+    default-run-as-non-root: "false"
diff --git a/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml b/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml
@@ -21,3 +21,4 @@ data:
   default-service-account: "default"
   default-run-as-user: ""
   default-run-as-group: ""
+  default-run-as-non-root: ""
diff --git a/pkg/apis/config/testdata/config-defaults-triggers.yaml b/pkg/apis/config/testdata/config-defaults-triggers.yaml
@@ -21,3 +21,4 @@ data:
   default-service-account: "default"
   default-run-as-user: "65532"
   default-run-as-group: "65532"
+  default-run-as-non-root: "true"
diff --git a/pkg/reconciler/eventlistener/resources/container.go b/pkg/reconciler/eventlistener/resources/container.go
@@ -58,7 +58,7 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA
 			Capabilities: &corev1.Capabilities{
 				Drop: []corev1.Capability{"ALL"},
 			},
-			RunAsNonRoot: ptr.Bool(true),
+			RunAsNonRoot: ptr.Bool(cfg.Defaults.DefaultRunAsNonRoot),
 			SeccompProfile: &corev1.SeccompProfile{
 				Type: corev1.SeccompProfileTypeRuntimeDefault,
 			},