From 22a8e93c8b52889e9119e6d15d1a9bcc6ae8134a Mon Sep 17 00:00:00 2001
From: Vlad Losev <vladlosev@users.noreply.github.com>
Date: Wed, 7 Apr 2021 11:12:33 -0700
Subject: [PATCH] feat(executor): Support accessing output parameters by PNS
 executor running as non-root (#5564)

---
 Dockerfile                                    |  6 ++---
 test/e2e/run_as_not_root_test.go              |  9 +++++++
 .../runasnonroot-output-params-pipeline.yaml  | 25 +++++++++++++++++++
 3 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 test/e2e/smoke/runasnonroot-output-params-pipeline.yaml

diff --git a/Dockerfile b/Dockerfile
index 8bc5f5578df4..58de4da3db21 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -45,7 +45,7 @@ ARG KUBECTL_VERSION
 ARG JQ_VERSION
 
 RUN apt-get update && \
-    apt-get --no-install-recommends install -y curl procps git apt-utils apt-transport-https ca-certificates tar mime-support && \
+    apt-get --no-install-recommends install -y curl procps git apt-utils apt-transport-https ca-certificates tar mime-support libcap2-bin && \
     apt-get clean \
     && rm -rf \
         /var/lib/apt/lists/* \
@@ -128,7 +128,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build make dist/argo
 FROM argoexec-base as argoexec
 
 COPY --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /usr/local/bin/
-
+RUN setcap CAP_SYS_PTRACE,CAP_SYS_CHROOT+ei /usr/local/bin/argoexec
 ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################
@@ -136,7 +136,7 @@ ENTRYPOINT [ "argoexec" ]
 FROM argoexec-base as argoexec-dev
 
 ADD argoexec /usr/local/bin/
-
+RUN setcap CAP_SYS_PTRACE,CAP_SYS_CHROOT+ei /usr/local/bin/argoexec
 ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################
diff --git a/test/e2e/run_as_not_root_test.go b/test/e2e/run_as_not_root_test.go
index 92dfc31bcb4b..3c84531776b9 100644
--- a/test/e2e/run_as_not_root_test.go
+++ b/test/e2e/run_as_not_root_test.go
@@ -23,6 +23,15 @@ func (s *RunAsNonRootSuite) TestRunAsNonRootWorkflow() {
 		WaitForWorkflow(fixtures.ToBeSucceeded)
 }
 
+func (s *RunAsNonRootSuite) TestRunAsNonRootWithOutputParams() {
+	s.Need(fixtures.None(fixtures.Docker, fixtures.K8SAPI, fixtures.Kubelet))
+	s.Given().
+		Workflow("@smoke/runasnonroot-output-params-pipeline.yaml").
+		When().
+		SubmitWorkflow().
+		WaitForWorkflow(fixtures.ToBeSucceeded)
+}
+
 func TestRunAsNonRootSuite(t *testing.T) {
 	suite.Run(t, new(RunAsNonRootSuite))
 }
diff --git a/test/e2e/smoke/runasnonroot-output-params-pipeline.yaml b/test/e2e/smoke/runasnonroot-output-params-pipeline.yaml
new file mode 100644
index 000000000000..d748cbd2fb73
--- /dev/null
+++ b/test/e2e/smoke/runasnonroot-output-params-pipeline.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: runasnonroot-output-params-
+spec:
+  entrypoint: main
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 8737
+  templates:
+    - name: main
+      container:
+        image: argoproj/argosay:v2
+        args:
+        - echo
+        - test test
+        - /tmp/output-param.txt
+      # Accessing output parameters requires special permissions for the
+      # executor. Presense of an output parameter here will test that these
+      # permissions are granted.
+      outputs:
+        parameters:
+         - name: test
+           valueFrom:
+             path: /tmp/output-param.txt