feat(executor): Support accessing output parameters by PNS executor r…

…unning as non-root (#5564)
argoproj · Apr 7, 2021 · 22a8e93 · 22a8e93
1 parent 2baae1d
commit 22a8e93
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -45,7 +45,7 @@ ARG KUBECTL_VERSION
 ARG JQ_VERSION
 
 RUN apt-get update && \
-    apt-get --no-install-recommends install -y curl procps git apt-utils apt-transport-https ca-certificates tar mime-support && \
+    apt-get --no-install-recommends install -y curl procps git apt-utils apt-transport-https ca-certificates tar mime-support libcap2-bin && \
     apt-get clean \
     && rm -rf \
         /var/lib/apt/lists/* \
@@ -128,15 +128,15 @@ RUN --mount=type=cache,target=/root/.cache/go-build make dist/argo
 FROM argoexec-base as argoexec
 
 COPY --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /usr/local/bin/
-
+RUN setcap CAP_SYS_PTRACE,CAP_SYS_CHROOT+ei /usr/local/bin/argoexec
 ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################
 
 FROM argoexec-base as argoexec-dev
 
 ADD argoexec /usr/local/bin/
-
+RUN setcap CAP_SYS_PTRACE,CAP_SYS_CHROOT+ei /usr/local/bin/argoexec
 ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################

diff --git a/test/e2e/run_as_not_root_test.go b/test/e2e/run_as_not_root_test.go
@@ -23,6 +23,15 @@ func (s *RunAsNonRootSuite) TestRunAsNonRootWorkflow() {
 		WaitForWorkflow(fixtures.ToBeSucceeded)
 }
 
+func (s *RunAsNonRootSuite) TestRunAsNonRootWithOutputParams() {
+	s.Need(fixtures.None(fixtures.Docker, fixtures.K8SAPI, fixtures.Kubelet))
+	s.Given().
+		Workflow("@smoke/runasnonroot-output-params-pipeline.yaml").
+		When().
+		SubmitWorkflow().
+		WaitForWorkflow(fixtures.ToBeSucceeded)
+}
+
 func TestRunAsNonRootSuite(t *testing.T) {
 	suite.Run(t, new(RunAsNonRootSuite))
 }
diff --git a/test/e2e/smoke/runasnonroot-output-params-pipeline.yaml b/test/e2e/smoke/runasnonroot-output-params-pipeline.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: runasnonroot-output-params-
+spec:
+  entrypoint: main
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 8737
+  templates:
+    - name: main
+      container:
+        image: argoproj/argosay:v2
+        args:
+        - echo
+        - test test
+        - /tmp/output-param.txt
+      # Accessing output parameters requires special permissions for the
+      # executor. Presense of an output parameter here will test that these
+      # permissions are granted.
+      outputs:
+        parameters:
+         - name: test
+           valueFrom:
+             path: /tmp/output-param.txt