Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(controller): podSpecPatch updates override the ref template in Secure mode #13909

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(controller): podSpecPatch updates override the ref template in Secure mode #13909

wants to merge 1 commit into from

Conversation

chengjoey
Copy link
Member

@chengjoey chengjoey commented Nov 16, 2024
edited
Loading

Fixes #13871

Motivation

podSpecPatch seems not to be set when referencing wf template and in Secure mode

Modifications

Verification

wf:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: workflow-template-hello-world
spec:
  workflowTemplateRef:
    name: workflow-template-print-message
  podSpecPatch: |
    containers:
      - name: main
        image: alpine
        command: [echo]
        args: ["hello world"]

kubectl get wf

NAME                            STATUS   AGE   MESSAGE
workflow-template-hello-world   Error    6s    PodSpecPatch may not be setted during execution when the controller is set `templateReferencing: Secure`

@chengjoey chengjoey marked this pull request as draft November 16, 2024 05:51
michaelncy
michaelncy reviewed Nov 17, 2024
View reviewed changes
workflow/controller/operator.go
@@ -4023,6 +4023,9 @@ func (woc *wfOperationCtx) setStoredWfSpec(ctx context.Context) error {
wfutil.JoinWorkflowMetaData(&woc.wf.ObjectMeta, &wfDefault.ObjectMeta)
workflowTemplateSpec = wftHolder.GetWorkflowSpec()
}
if len(woc.execWf.Spec.PodSpecPatch) > 0 && woc.controller.Config.WorkflowRestrictions.MustNotChangeSpec() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also applies to Strict mode right? MustUseReference is more suitable perhaps

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think templateReferencing: Secure has prohibited changes, maybe podSpecPatch can also exist in strict mode.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The definition of workflowRestrictions is here, I'm not very sure, but it seems that podSpecPatch can exist in strict mode.

argo-workflows/docs/workflow-controller-configmap.yaml

Lines 387 to 395 in b93ffd8

# workflowRestrictions restricts the Workflows that the controller will process.
# Current options:
# Strict: Only Workflows using "workflowTemplateRef" will be processed. This allows the administrator of the controller
# to set a "library" of templates that may be run by its operator, limiting arbitrary Workflow execution.
# Secure: Only Workflows using "workflowTemplateRef" will be processed and the controller will enforce
# that the WorkflowTemplate that is referenced hasn't changed between operations. If you want to make sure the operator of the
# Workflow cannot run an arbitrary Workflow, use this option.
workflowRestrictions: |
templateReferencing: Strict

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider it a security concern if you allow podSpecPatch when Secure is set to Strict mode. Our use-case is we want to allow people to create workflows, but only from things that exist from workflow templates without any changes.

@shuangkun shuangkun added the area/controller Controller issues, panics label Dec 20, 2024
@chengjoey chengjoey marked this pull request as ready for review January 6, 2025 02:27
@MasonM
Copy link
Contributor

MasonM commented Jan 6, 2025

@chengjoey The E2E test failures were due to a bug in Kit, which was just fixed. If you merge your changes with main, they should pass now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelncy michaelncy michaelncy left review comments

@shuangkun shuangkun shuangkun left review comments

@sstarcher sstarcher sstarcher left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/controller Controller issues, panics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using podSpecPatch with templateReferencing: Secure mode can still override container image and command
5 participants
@chengjoey @MasonM @sstarcher @shuangkun @michaelncy