From 89a623317e57a10ff83ad6a2b823e4f617ac644e Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Mon, 16 Aug 2021 16:31:03 +0100 Subject: [PATCH] Set the scripts dir to readonly after init The scripts dir only needs to be writable during `place-scripts` Previously you could replace the script of other steps before they're ran and this mitigates that issue --- pkg/pod/pod_test.go | 6 +++--- pkg/pod/script.go | 8 +++++++- pkg/pod/script_test.go | 6 +++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/pkg/pod/pod_test.go b/pkg/pod/pod_test.go index 9c7cb118802..95165f3ff22 100644 --- a/pkg/pod/pod_test.go +++ b/pkg/pod/pod_test.go @@ -652,7 +652,7 @@ func TestPodBuild(t *testing.T) { Name: "place-scripts", Image: "busybox", Command: []string{"sh"}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, Args: []string{"-c", `scriptfile="/tekton/scripts/sidecar-script-0-9l9zj" touch ${scriptfile} && chmod +x ${scriptfile} cat > ${scriptfile} << '_EOF_' @@ -910,7 +910,7 @@ IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCnByaW50KCJIZWxsbyBmcm9tIFB5dGhvbiIp _EOF_ /tekton/tools/entrypoint decode-script "${scriptfile}" `}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, }, }, Containers: []corev1.Container{{ @@ -1035,7 +1035,7 @@ IyEvYmluL3NoCiQk _EOF_ /tekton/tools/entrypoint decode-script "${scriptfile}" `}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, }}, Containers: []corev1.Container{{ Name: "step-one", diff --git a/pkg/pod/script.go b/pkg/pod/script.go index ec1f3881e58..38eaa32b3a5 100644 --- a/pkg/pod/script.go +++ b/pkg/pod/script.go @@ -48,6 +48,12 @@ var ( scriptsVolumeMount = corev1.VolumeMount{ Name: scriptsVolumeName, MountPath: scriptsDir, + ReadOnly: true, + } + writeScriptsVolumeMount = corev1.VolumeMount{ + Name: scriptsVolumeName, + MountPath: scriptsDir, + ReadOnly: false, } debugScriptsVolume = corev1.Volume{ Name: debugScriptsVolumeName, @@ -78,7 +84,7 @@ func convertScripts(shellImage string, steps []v1beta1.Step, sidecars []v1beta1. Image: shellImage, Command: []string{"sh"}, Args: []string{"-c", ""}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, } breakpoints := []string{} diff --git a/pkg/pod/script_test.go b/pkg/pod/script_test.go index 0fc7ebf6d7a..a0099bc20f8 100644 --- a/pkg/pod/script_test.go +++ b/pkg/pod/script_test.go @@ -177,7 +177,7 @@ IyEvYmluL3NoCnNldCAteGUKbm8tc2hlYmFuZw== _EOF_ /tekton/tools/entrypoint decode-script "${scriptfile}" `}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, } want := []corev1.Container{{ Image: "step-1", @@ -316,7 +316,7 @@ else fi debug-fail-continue-heredoc-randomly-generated-6nl7g `}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount, debugScriptsVolumeMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount, debugScriptsVolumeMount}, } want := []corev1.Container{{ Image: "step-1", @@ -408,7 +408,7 @@ IyEvYmluL3NoCnNpZGVjYXItMQ== _EOF_ /tekton/tools/entrypoint decode-script "${scriptfile}" `}, - VolumeMounts: []corev1.VolumeMount{scriptsVolumeMount, toolsMount}, + VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount}, } want := []corev1.Container{{ Image: "step-1",