✨ Run task pod as AnyUser. (#755)

To support running the task pods as _AnyUser_ instead of root: - The task manager needs to no longer RunAs user root. - The /addon directory needs to be an _EmptyDir_. This is because the addon-analyzer Dockerfile cannot create the /addon directory as owned by the _AnyUser_. Signed-off-by: Jeff Ortel <[email protected]>
konveyor · Oct 10, 2024 · 8769075 · 8769075
1 parent 6b050e7
commit 8769075
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/settings/addon.go b/settings/addon.go
@@ -7,13 +7,16 @@ import (
 )
 
 const (
-	EnvHubBaseURL = "HUB_BASE_URL"
-	EnvHubToken   = "TOKEN"
-	EnvTask       = "TASK"
+	EnvHubBaseURL   = "HUB_BASE_URL"
+	EnvHubToken     = "TOKEN"
+	EnvTask         = "TASK"
+	EnvAddonHomeDir = "ADDON_HOME"
 )
 
 // Addon settings.
 type Addon struct {
+	// HomeDir working directory.
+	HomeDir string
 	// Hub settings.
 	Hub struct {
 		// URL for the hub API.
@@ -27,6 +30,10 @@ type Addon struct {
 
 func (r *Addon) Load() (err error) {
 	var found bool
+	r.HomeDir, found = os.LookupEnv(EnvAddonHomeDir)
+	if !found {
+		r.HomeDir = "/addon"
+	}
 	r.Hub.URL, found = os.LookupEnv(EnvHubBaseURL)
 	if !found {
 		r.Hub.URL = "http://localhost:8080"

diff --git a/task/manager.go b/task/manager.go
@@ -83,6 +83,7 @@ const (
 )
 
 const (
+	Addon  = "addon"
 	Shared = "shared"
 	Cache  = "cache"
 )
@@ -1643,6 +1644,12 @@ func (r *Task) specification(
 	addon *crd.Addon,
 	extensions []crd.Extension,
 	secret *core.Secret) (specification core.PodSpec) {
+	addonDir := core.Volume{
+		Name: Addon,
+		VolumeSource: core.VolumeSource{
+			EmptyDir: &core.EmptyDirVolumeSource{},
+		},
+	}
 	shared := core.Volume{
 		Name: Shared,
 		VolumeSource: core.VolumeSource{
@@ -1670,6 +1677,7 @@ func (r *Task) specification(
 		InitContainers:     init,
 		Containers:         plain,
 		Volumes: []core.Volume{
+			addonDir,
 			shared,
 			cache,
 		},
@@ -1683,7 +1691,6 @@ func (r *Task) containers(
 	addon *crd.Addon,
 	extensions []crd.Extension,
 	secret *core.Secret) (init []core.Container, plain []core.Container) {
-	userid := int64(0)
 	token := &core.EnvVarSource{
 		SecretKeyRef: &core.SecretKeySelector{
 			Key: settings.EnvHubToken,
@@ -1707,11 +1714,12 @@ func (r *Task) containers(
 		container := &plain[i]
 		injector.Inject(container)
 		r.propagateEnv(&plain[0], container)
-		container.SecurityContext = &core.SecurityContext{
-			RunAsUser: &userid,
-		}
 		container.VolumeMounts = append(
 			container.VolumeMounts,
+			core.VolumeMount{
+				Name:      Addon,
+				MountPath: Settings.Addon.HomeDir,
+			},
 			core.VolumeMount{
 				Name:      Shared,
 				MountPath: Settings.Shared.Path,
@@ -1722,6 +1730,10 @@ func (r *Task) containers(
 			})
 		container.Env = append(
 			container.Env,
+			core.EnvVar{
+				Name:  settings.EnvAddonHomeDir,
+				Value: Settings.Addon.HomeDir,
+			},
 			core.EnvVar{
 				Name:  settings.EnvSharedPath,
 				Value: Settings.Shared.Path,