Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tighten up agent pod spec #7914

Closed
alexec opened this issue Feb 18, 2022 · 1 comment · Fixed by #7915
Closed

Tighten up agent pod spec #7914

alexec opened this issue Feb 18, 2022 · 1 comment · Fixed by #7915
Labels
area/agent Argo Agent that runs for HTTP and Plugin templates area/executor type/feature Feature request type/security Security related

Comments

@alexec
Copy link
Contributor

alexec commented Feb 18, 2022
edited
Loading

The agent pod spec allows the agent to do things we should fix:

          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
@alexec alexec added type/feature Feature request type/security Security related area/executor labels Feb 18, 2022
alexec added a commit to alexec/argo-workflows that referenced this issue Feb 18, 2022
@alexec
feat: Reduce agent pod permissions. Fixes argoproj#7914
76665f4 
Signed-off-by: Alex Collins <[email protected]>
@alexec alexec mentioned this issue Feb 18, 2022
Merged
@alexec
Copy link
Contributor Author

alexec commented Feb 18, 2022

I think we need to go bigger on this.

The permissions we give to argoexec are too permissive for the job it does. Many of these permissions are because the PNS executor needs them. But we will be getting rid of that executor in #7829.

At that point we will only have the emissary, and the emissary does not need to run as root.

alexec added a commit that referenced this issue Feb 22, 2022
@alexec
feat: Reduce agent pod permissions. Fixes #7914 (#7915)
8577689 
Signed-off-by: Alex Collins <[email protected]>
@sarabala1979 sarabala1979 mentioned this issue Mar 1, 2022
Closed
@agilgur5 agilgur5 added the area/agent Argo Agent that runs for HTTP and Plugin templates label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/agent Argo Agent that runs for HTTP and Plugin templates area/executor type/feature Feature request type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Reduce agent pod permissions. Fixes #7914 alexec/argo-workflows
2 participants
@alexec @agilgur5