Kubernetes AppArmor and seccomp #3123
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@qwerty287 , could you build preview image? |
qwerty287
added
enhancement
|
@zc-devs they will be built when you push the next commit |
zc-devs
force-pushed
the
2545-apparmor-seccomp
branch
from
86975ff
to
101fd46
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #3123 +/- ##
==========================================
+ Coverage 34.97% 35.11% +0.14%
==========================================
Files 228 228
Lines 14789 14852 +63
==========================================
+ Hits 5172 5216 +44
- Misses 9237 9252 +15
- Partials 380 384 +4 ☔ View full report in Codecov by Sentry. |
|
Wow, this is great! I was just thinking about the AppArmor issue this morning. I will test the PR images tonight and report back what I find. |
|
I want to have #3135 in first 😅 ... I think resolving conflict here is easyer |
UpdateOk, I did some more digging. The 503 errors I was seeing had to do with my ingress-nginx rate limiting config. For some reason, Woodpecker is using a lot of concurrent connections. The request rate is fine, but it was the connection limit that triggered the errors. That issue is resolved now. Although, it might be wroth looking into why the design uses so many connections? I'm still getting the "Unknown error" when I try to run a pipeline though. That error does seem to coincide with the nil pointer dereference error that I'm seeing in the server logs. I'm wondering if I just have a misconfiguration in my pipeline YAML. I'll play around with that a bit and see where I get. Update 2Ok, yes, it looks like the AppArmor config I added is the culprit. If I comment that out, the pipeline runs again. So, I guess that leaves me with two questions:
Original CommentOk, I gave this my best shot today. I can't seem to get my pipeline to run using the images for the pull request. I'm referencing the following:
After I deployed those images to the cluster, I can still log in to Woodpecker, but I can no longer run pipelines. Nothing runs when I push a commit, and when I try to run one manually, I get "An unknown error occurred". I then refresh, click on the failed run and click the "Restart" button. That errors immediately. But, now I have an Errors tab which shows:
If I check the JS console I see a lot of 503 errors for JS and CSS as referenced below. On the server side, I see one restart for the agent Pod and none for the server. There's nothing interesting the agent logs. The server logs show a couple of errors I haven't seen before (not many though). An example is shown below. I which I knew what was going on. If I just use the default image for the current helm chart (2.1.1) I still run into some 503 errors in the console, but I'm at least able to run pipelines. Of course, they fail because this PR isn't in place. One other issue I'm seeing that's blocking me is the Questions on the above config:
Server Error LogJS Console ErrorsBy the way, if I visit any of these asset URLs directly, they are served without issue. The problem only seems to arise when they are requested as sub-resources. |
|
@6543, OK, just ping me then. |
apparmorProfile:
type: Localhost
localhostProfile: buildahYour config is correct.
I'm afraid, I can't answer this :(
It sets here. Seems, you cannot override it. Perhaps, this PR addresses it.
Thank you for testing. I'll fix this in next couple of days. |
|
Thanks for the quick and helpful reply. That all makes sense, and I'll be ready to re-test when the revisions are built. I really appreciate the work on this, by the way. It will definitely help me get unstuck on my project. |
|
@zc-devs should i resolve the conflict od do you? |
|
I'll do it. |
# Conflicts: # pipeline/backend/kubernetes/pod.go # pipeline/backend/kubernetes/pod_test.go
|
Pipeline skip_clone: true
steps:
server:
image: alpine
commands:
- echo Hello
backend_options:
kubernetes:
securityContext:
apparmorProfile:
type: Localhost
localhostProfile: buildahPod apiVersion: v1
kind: Pod
metadata:
labels:
step: server
annotations:
container.apparmor.security.beta.kubernetes.io/wp-01hkyt5x61rkxcnrrk6spwp372: localhost/buildah
spec:
containers:
- name: wp-01hkyt5x61rkxcnrrk6spwp372
image: alpine
|
|
I was able to test the latest build of this PR, and everything seems to be working as expected! Thanks. I haven't tested the seccomp part of this, but the AppArmor annotation is getting added correctly for me. Of course, I'm now running into a new new issue with /dev/fuse, but I may be able to work around that in a different way. If not, I'll open an issue about adding the needed annotation for that (sigh). |
6543
approved these changes
Jan 12, 2024
6543
pushed a commit
that referenced
this pull request
Jan 21, 2024
This PR was opened by the [ready-release-go](https://github.com/woodpecker-ci/plugin-ready-release-go) plugin. When you're ready to do a release, you can merge this pull-request and a new release with version `2.2.0` will be created automatically. If you're not ready to do a release yet, that's fine, whenever you add more changes to `main` this pull-request will be updated. ## Options - [ ] Mark this version as a release candidate ## [2.2.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/2.2.0) - 2024-01-21 ### 🔒 Security - Update web dependencies [[#3234](#3234)] ### ✨ Features - Support custom steps entrypoint [[#2985](#2985)] ### 📚 Documentation - Add 2.2 docs [[#3237](#3237)] - Fix/improve issue templates [[#3232](#3232)] - Delete `FUNDING.yaml` [[#3193](#3193)] - Remove contributing/security to use globally defined [[#3192](#3192)] - Add "Kaniko" Plugin [[#3183](#3183)] - Document core development ideas [[#3184](#3184)] - Add continous deployment cookbook [[#3098](#3098)] - Make k8s backend configuration docs in the same format as others [[#3081](#3081)] - Hide backend config options from TOC [[#3126](#3126)] - Add X/Twitter account [[#3127](#3127)] - Add ansible plugin [[#3115](#3115)] - Format depends_on example [[#3118](#3118)] - Use WOODPECKER_AGENT_SECRET instead of deprecated alternative [[#3103](#3103)] - Add Reviewdog ESLint plugin [[#3102](#3102)] - Mark local backend as stable [[#3088](#3088)] - Update Owners 2024 [[#3075](#3075)] - Add reviewdog golangci plugin [[#3080](#3080)] - Add Codeberg Pages Deploy plugin to plugins list [[#3054](#3054)] ### 🐛 Bug Fixes - Fixed Pods creation of WP services [[#3236](#3236)] - Fix Bitbucket get pull requests that ignores pagination [[#3235](#3235)] - Make PipelineConfig unique again [[#3215](#3215)] - Fix feed sorting [[#3155](#3155)] - Step status update dont set to running again once it got stoped [[#3151](#3151)] - Use step uuid instead of name in GRPC status calls [[#3143](#3143)] - Use UUID instead of step name where possible [[#3136](#3136)] - Use step type to detect services in Kubernetes backend [[#3141](#3141)] - Fix config base64 parsing to utf-8 [[#3110](#3110)] - Pin Gitea version [[#3104](#3104)] - Fix step `depends_on` as string in schema [[#3099](#3099)] - Fix slice unmarshaling [[#3097](#3097)] - Allow PR secrets to be used on close [[#3084](#3084)] - make event in pipeline schema also a constraint_list [[#3082](#3082)] - Fix badge's repoUrl with rootpath [[#3076](#3076)] - Load changed files for closed PR [[#3067](#3067)] - Fix build output paths [[#3065](#3065)] - Fix `when` and `depends_on` [[#3063](#3063)] - Fix DAG cycle detection [[#3049](#3049)] - Fix duplicated icons [[#3045](#3045)] ### 📈 Enhancement - Retrieve all user repo perms with a single API call [[#3211](#3211)] - Secured kubernetes backend configuration [[#3204](#3204)] - Use `assert` for tests [[#3201](#3201)] - Replace `goimports` with `gci` [[#3202](#3202)] - Remove multipart logger [[#3200](#3200)] - Added protocol in port configuration [[#2993](#2993)] - Kubernetes AppArmor and seccomp [[#3123](#3123)] - `cli exec`: let override existing environment values but print a warning [[#3140](#3140)] - Enable golangci linter forcetypeassert [[#3168](#3168)] - Enable golangci linter contextcheck [[#3170](#3170)] - Remove panic recovering [[#3162](#3162)] - More docker backend test remove more undocumented [[#3156](#3156)] - Lowercase all log strings [[#3173](#3173)] - Cleanups + prefer .yaml [[#3069](#3069)] - Use UUID as podName and cleanup arguments for Kubernetes backend [[#3135](#3135)] - Enable golangci linter stylecheck [[#3167](#3167)] - Clean up logging [[#3161](#3161)] - Enable `gocritic` and don't ignore globally [[#3159](#3159)] - Remove steps for publishing release branches [[#3125](#3125)] - Enable `nolintlint` [[#3158](#3158)] - Enable some linters [[#3129](#3129)] - Use name in backend types instead of alias [[#3142](#3142)] - Make service icon rotate [[#3149](#3149)] - Add step name as label to docker containers [[#3137](#3137)] - Use js-base64 on pipeline log page [[#3146](#3146)] - Flexible image pull secret reference [[#3016](#3016)] - Always show pipeline step list [[#3114](#3114)] - Add loading spinner and no pull request text [[#3113](#3113)] - Fix timeout settings contrast [[#3112](#3112)] - Unfold workflow when opening via URL [[#3106](#3106)] - Remove env argument of addons [[#3100](#3100)] - Move `cmd/common` to `shared` [[#3092](#3092)] - use semver for version comparsion [[#3042](#3042)] - Extend create plugin docs [[#3062](#3062)] - Remove old files [[#3077](#3077)] - Indicate if step is service [[#3078](#3078)] - Add imports checks to linter [[#3056](#3056)] - Remove workflow version again [[#3052](#3052)] - Add option to disable version check in admin web UI [[#3040](#3040)] ### Misc - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v3 [[#3229](#3229)] - Docs: Fix expression syntax docs url [[#3208](#3208)] - Add schema test for depends_on [[#3205](#3205)] - chore(deps): lock file maintenance [[#3190](#3190)] - Do not run prettier with pre-commit [[#3196](#3196)] - fix(deps): update module github.com/google/go-github/v57 to v58 [[#3187](#3187)] - chore(deps): update docker.io/golang docker tag to v1.21.6 [[#3189](#3189)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx [[#3186](#3186)] - fix(deps): update golang (packages) [[#3185](#3185)] - declare different when statements once and reuse them [[#3176](#3176)] - Add `make clean-all` [[#3152](#3152)] - Fix `version.json` updates [[#3057](#3057)] - [pre-commit.ci] pre-commit autoupdate [[#3101](#3101)] - Update dependency @vitejs/plugin-vue to v5 [[#3074](#3074)] - Use CI vars for plugin [[#3061](#3061)] - Use `yamllint` [[#3066](#3066)] - Use dag in ci config [[#3010](#3010)]
fernandrone
pushed a commit
to quintoandar/woodpecker
that referenced
this pull request
Feb 1, 2024
Closes woodpecker-ci#2545 seccomp https://kubernetes.io/docs/tutorials/security/seccomp/ https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/135-seccomp/README.md AppArmor https://kubernetes.io/docs/tutorials/security/apparmor/ https://github.com/kubernetes/enhancements/blob/fddcbb9cbf3df39ded03bad71228265ac6e5215f/keps/sig-node/24-apparmor/README.md Went ahead and implemented API from KEP-24 above.
fernandrone
pushed a commit
to quintoandar/woodpecker
that referenced
this pull request
Feb 1, 2024
This PR was opened by the [ready-release-go](https://github.com/woodpecker-ci/plugin-ready-release-go) plugin. When you're ready to do a release, you can merge this pull-request and a new release with version `2.2.0` will be created automatically. If you're not ready to do a release yet, that's fine, whenever you add more changes to `main` this pull-request will be updated. ## Options - [ ] Mark this version as a release candidate ## [2.2.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/2.2.0) - 2024-01-21 ### 🔒 Security - Update web dependencies [[woodpecker-ci#3234](woodpecker-ci#3234)] ### ✨ Features - Support custom steps entrypoint [[woodpecker-ci#2985](woodpecker-ci#2985)] ### 📚 Documentation - Add 2.2 docs [[woodpecker-ci#3237](woodpecker-ci#3237)] - Fix/improve issue templates [[woodpecker-ci#3232](woodpecker-ci#3232)] - Delete `FUNDING.yaml` [[woodpecker-ci#3193](woodpecker-ci#3193)] - Remove contributing/security to use globally defined [[woodpecker-ci#3192](woodpecker-ci#3192)] - Add "Kaniko" Plugin [[woodpecker-ci#3183](woodpecker-ci#3183)] - Document core development ideas [[woodpecker-ci#3184](woodpecker-ci#3184)] - Add continous deployment cookbook [[woodpecker-ci#3098](woodpecker-ci#3098)] - Make k8s backend configuration docs in the same format as others [[woodpecker-ci#3081](woodpecker-ci#3081)] - Hide backend config options from TOC [[woodpecker-ci#3126](woodpecker-ci#3126)] - Add X/Twitter account [[woodpecker-ci#3127](woodpecker-ci#3127)] - Add ansible plugin [[woodpecker-ci#3115](woodpecker-ci#3115)] - Format depends_on example [[woodpecker-ci#3118](woodpecker-ci#3118)] - Use WOODPECKER_AGENT_SECRET instead of deprecated alternative [[woodpecker-ci#3103](woodpecker-ci#3103)] - Add Reviewdog ESLint plugin [[woodpecker-ci#3102](woodpecker-ci#3102)] - Mark local backend as stable [[woodpecker-ci#3088](woodpecker-ci#3088)] - Update Owners 2024 [[woodpecker-ci#3075](woodpecker-ci#3075)] - Add reviewdog golangci plugin [[woodpecker-ci#3080](woodpecker-ci#3080)] - Add Codeberg Pages Deploy plugin to plugins list [[woodpecker-ci#3054](woodpecker-ci#3054)] ### 🐛 Bug Fixes - Fixed Pods creation of WP services [[woodpecker-ci#3236](woodpecker-ci#3236)] - Fix Bitbucket get pull requests that ignores pagination [[woodpecker-ci#3235](woodpecker-ci#3235)] - Make PipelineConfig unique again [[woodpecker-ci#3215](woodpecker-ci#3215)] - Fix feed sorting [[woodpecker-ci#3155](woodpecker-ci#3155)] - Step status update dont set to running again once it got stoped [[woodpecker-ci#3151](woodpecker-ci#3151)] - Use step uuid instead of name in GRPC status calls [[woodpecker-ci#3143](woodpecker-ci#3143)] - Use UUID instead of step name where possible [[woodpecker-ci#3136](woodpecker-ci#3136)] - Use step type to detect services in Kubernetes backend [[woodpecker-ci#3141](woodpecker-ci#3141)] - Fix config base64 parsing to utf-8 [[woodpecker-ci#3110](woodpecker-ci#3110)] - Pin Gitea version [[woodpecker-ci#3104](woodpecker-ci#3104)] - Fix step `depends_on` as string in schema [[woodpecker-ci#3099](woodpecker-ci#3099)] - Fix slice unmarshaling [[woodpecker-ci#3097](woodpecker-ci#3097)] - Allow PR secrets to be used on close [[woodpecker-ci#3084](woodpecker-ci#3084)] - make event in pipeline schema also a constraint_list [[woodpecker-ci#3082](woodpecker-ci#3082)] - Fix badge's repoUrl with rootpath [[woodpecker-ci#3076](woodpecker-ci#3076)] - Load changed files for closed PR [[woodpecker-ci#3067](woodpecker-ci#3067)] - Fix build output paths [[woodpecker-ci#3065](woodpecker-ci#3065)] - Fix `when` and `depends_on` [[woodpecker-ci#3063](woodpecker-ci#3063)] - Fix DAG cycle detection [[woodpecker-ci#3049](woodpecker-ci#3049)] - Fix duplicated icons [[woodpecker-ci#3045](woodpecker-ci#3045)] ### 📈 Enhancement - Retrieve all user repo perms with a single API call [[woodpecker-ci#3211](woodpecker-ci#3211)] - Secured kubernetes backend configuration [[woodpecker-ci#3204](woodpecker-ci#3204)] - Use `assert` for tests [[woodpecker-ci#3201](woodpecker-ci#3201)] - Replace `goimports` with `gci` [[woodpecker-ci#3202](woodpecker-ci#3202)] - Remove multipart logger [[woodpecker-ci#3200](woodpecker-ci#3200)] - Added protocol in port configuration [[woodpecker-ci#2993](woodpecker-ci#2993)] - Kubernetes AppArmor and seccomp [[woodpecker-ci#3123](woodpecker-ci#3123)] - `cli exec`: let override existing environment values but print a warning [[woodpecker-ci#3140](woodpecker-ci#3140)] - Enable golangci linter forcetypeassert [[woodpecker-ci#3168](woodpecker-ci#3168)] - Enable golangci linter contextcheck [[woodpecker-ci#3170](woodpecker-ci#3170)] - Remove panic recovering [[woodpecker-ci#3162](woodpecker-ci#3162)] - More docker backend test remove more undocumented [[woodpecker-ci#3156](woodpecker-ci#3156)] - Lowercase all log strings [[woodpecker-ci#3173](woodpecker-ci#3173)] - Cleanups + prefer .yaml [[woodpecker-ci#3069](woodpecker-ci#3069)] - Use UUID as podName and cleanup arguments for Kubernetes backend [[woodpecker-ci#3135](woodpecker-ci#3135)] - Enable golangci linter stylecheck [[woodpecker-ci#3167](woodpecker-ci#3167)] - Clean up logging [[woodpecker-ci#3161](woodpecker-ci#3161)] - Enable `gocritic` and don't ignore globally [[woodpecker-ci#3159](woodpecker-ci#3159)] - Remove steps for publishing release branches [[woodpecker-ci#3125](woodpecker-ci#3125)] - Enable `nolintlint` [[woodpecker-ci#3158](woodpecker-ci#3158)] - Enable some linters [[woodpecker-ci#3129](woodpecker-ci#3129)] - Use name in backend types instead of alias [[woodpecker-ci#3142](woodpecker-ci#3142)] - Make service icon rotate [[woodpecker-ci#3149](woodpecker-ci#3149)] - Add step name as label to docker containers [[woodpecker-ci#3137](woodpecker-ci#3137)] - Use js-base64 on pipeline log page [[woodpecker-ci#3146](woodpecker-ci#3146)] - Flexible image pull secret reference [[woodpecker-ci#3016](woodpecker-ci#3016)] - Always show pipeline step list [[woodpecker-ci#3114](woodpecker-ci#3114)] - Add loading spinner and no pull request text [[woodpecker-ci#3113](woodpecker-ci#3113)] - Fix timeout settings contrast [[woodpecker-ci#3112](woodpecker-ci#3112)] - Unfold workflow when opening via URL [[woodpecker-ci#3106](woodpecker-ci#3106)] - Remove env argument of addons [[woodpecker-ci#3100](woodpecker-ci#3100)] - Move `cmd/common` to `shared` [[woodpecker-ci#3092](woodpecker-ci#3092)] - use semver for version comparsion [[woodpecker-ci#3042](woodpecker-ci#3042)] - Extend create plugin docs [[woodpecker-ci#3062](woodpecker-ci#3062)] - Remove old files [[woodpecker-ci#3077](woodpecker-ci#3077)] - Indicate if step is service [[woodpecker-ci#3078](woodpecker-ci#3078)] - Add imports checks to linter [[woodpecker-ci#3056](woodpecker-ci#3056)] - Remove workflow version again [[woodpecker-ci#3052](woodpecker-ci#3052)] - Add option to disable version check in admin web UI [[woodpecker-ci#3040](woodpecker-ci#3040)] ### Misc - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v3 [[woodpecker-ci#3229](woodpecker-ci#3229)] - Docs: Fix expression syntax docs url [[woodpecker-ci#3208](woodpecker-ci#3208)] - Add schema test for depends_on [[woodpecker-ci#3205](woodpecker-ci#3205)] - chore(deps): lock file maintenance [[woodpecker-ci#3190](woodpecker-ci#3190)] - Do not run prettier with pre-commit [[woodpecker-ci#3196](woodpecker-ci#3196)] - fix(deps): update module github.com/google/go-github/v57 to v58 [[woodpecker-ci#3187](woodpecker-ci#3187)] - chore(deps): update docker.io/golang docker tag to v1.21.6 [[woodpecker-ci#3189](woodpecker-ci#3189)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx [[woodpecker-ci#3186](woodpecker-ci#3186)] - fix(deps): update golang (packages) [[woodpecker-ci#3185](woodpecker-ci#3185)] - declare different when statements once and reuse them [[woodpecker-ci#3176](woodpecker-ci#3176)] - Add `make clean-all` [[woodpecker-ci#3152](woodpecker-ci#3152)] - Fix `version.json` updates [[woodpecker-ci#3057](woodpecker-ci#3057)] - [pre-commit.ci] pre-commit autoupdate [[woodpecker-ci#3101](woodpecker-ci#3101)] - Update dependency @vitejs/plugin-vue to v5 [[woodpecker-ci#3074](woodpecker-ci#3074)] - Use CI vars for plugin [[woodpecker-ci#3061](woodpecker-ci#3061)] - Use `yamllint` [[woodpecker-ci#3066](woodpecker-ci#3066)] - Use dag in ci config [[woodpecker-ci#3010](woodpecker-ci#3010)]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #2545
seccomp
https://kubernetes.io/docs/tutorials/security/seccomp/
https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/135-seccomp/README.md
AppArmor
https://kubernetes.io/docs/tutorials/security/apparmor/
https://github.com/kubernetes/enhancements/blob/fddcbb9cbf3df39ded03bad71228265ac6e5215f/keps/sig-node/24-apparmor/README.md
Went ahead and implemented API from KEP-24 above.