Add feature flag set-security-context-read-only-root-filesystem to set readOnlyRootFilesystem for containers

config/config-feature-flags.yaml

@@ -117,6 +117,8 @@ data:
   # This allows TaskRuns to run in namespaces with "restricted" pod security standards.
   # Not all Kubernetes implementations support this option.
   set-security-context: "false"
+  # Setting this flag to "true" will set root filesystemt to readonly for containers injected by Tekton into TaskRuns.
+  set-security-context-read-only-root-filesystem: "false"
   # Setting this flag to "true" will keep pod on cancellation
   # allowing examination of the logs on the pods from cancelled taskruns
   keep-pod-on-cancel: "false"

docs/additional-configs.md

@@ -360,6 +360,11 @@ Defaults to "ignore".
 - `set-security-context`: Set this flag to `true` to set a security context for containers injected by Tekton that will allow TaskRun pods
 to run in namespaces with `restricted` pod security admission. By default, this is set to `false`.
 
+- `set-security-context-read-only-root-filesystem`: Set this flag to `true` to enable `readOnlyRootFilesystem` in the
+  security context for containers injected by Tekton. This makes the root filesystem of the container read-only,
+  enhancing security. Note that this requires `set-security-context` to be enabled. By default, this flag is set
+  to `false`. Note: This feature does not work in windows as it is not supported there, [Comparison with linux](https://kubernetes.io/docs/concepts/windows/intro/#compatibility-linux-similarities). 
+
 ### Alpha Features
 
 Alpha features in the following table are still in development and their syntax is subject to change.
@@ -461,7 +466,8 @@ Out-of-the-box, Tekton Pipelines Controller is configured for relatively small-s
 
 To allow TaskRuns and PipelineRuns to run in namespaces with [restricted pod security standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/),
 set the "set-security-context" feature flag to "true" in the [feature-flags configMap](#customizing-the-pipelines-controller-behavior). This configuration option applies a [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
-to any containers injected into TaskRuns by the Pipelines controller. This SecurityContext may not be supported in all Kubernetes implementations (for example, OpenShift).
+to any containers injected into TaskRuns by the Pipelines controller. If the [Affinity Assistants](affinityassistants.md) feature is enabled, the SecurityContext is also applied to those containers.
+This SecurityContext may not be supported in all Kubernetes implementations (for example, OpenShift).
 
 **Note**: running TaskRuns and PipelineRuns in the "tekton-pipelines" namespace is discouraged.
 

pkg/apis/config/feature_flags.go

@@ -94,6 +94,8 @@ const (
 	DefaultMaxResultSize = 4096
 	// DefaultSetSecurityContext is the default value for "set-security-context"
 	DefaultSetSecurityContext = false
+	// DefaultSetSecurityContextReadOnlyRootFilesystem is the default value for "set-security-context-read-only-root-filesystem"
+	DefaultSetSecurityContextReadOnlyRootFilesystem = false
 	// DefaultCoschedule is the default value for coschedule
 	DefaultCoschedule = CoscheduleWorkspaces
 	// KeepPodOnCancel is the flag used to enable cancelling a pod using the entrypoint, and keep pod on cancel
@@ -123,15 +125,16 @@ const (
 	awaitSidecarReadinessKey            = "await-sidecar-readiness"
 	requireGitSSHSecretKnownHostsKey    = "require-git-ssh-secret-known-hosts" //nolint:gosec
 	// enableTektonOCIBundles              = "enable-tekton-oci-bundles"
-	enableAPIFields           = "enable-api-fields"
-	sendCloudEventsForRuns    = "send-cloudevents-for-runs"
-	enforceNonfalsifiability  = "enforce-nonfalsifiability"
-	verificationNoMatchPolicy = "trusted-resources-verification-no-match-policy"
-	enableProvenanceInStatus  = "enable-provenance-in-status"
-	resultExtractionMethod    = "results-from"
-	maxResultSize             = "max-result-size"
-	setSecurityContextKey     = "set-security-context"
-	coscheduleKey             = "coschedule"
+	enableAPIFields                             = "enable-api-fields"
+	sendCloudEventsForRuns                      = "send-cloudevents-for-runs"
+	enforceNonfalsifiability                    = "enforce-nonfalsifiability"
+	verificationNoMatchPolicy                   = "trusted-resources-verification-no-match-policy"
+	enableProvenanceInStatus                    = "enable-provenance-in-status"
+	resultExtractionMethod                      = "results-from"
+	maxResultSize                               = "max-result-size"
+	setSecurityContextKey                       = "set-security-context"
+	setSecurityContextReadOnlyRootFilesystemKey = "set-security-context-read-only-root-filesystem"
+	coscheduleKey                               = "coschedule"
 )
 
 // DefaultFeatureFlags holds all the default configurations for the feature flags configmap.
@@ -200,19 +203,20 @@ type FeatureFlags struct {
 	// ignore: skip trusted resources verification when no matching verification policies found
 	// warn: skip trusted resources verification when no matching verification policies found and log a warning
 	// fail: fail the taskrun or pipelines run if no matching verification policies found
-	VerificationNoMatchPolicy   string
-	EnableProvenanceInStatus    bool
-	ResultExtractionMethod      string
-	MaxResultSize               int
-	SetSecurityContext          bool
-	Coschedule                  string
-	EnableCELInWhenExpression   bool
-	EnableStepActions           bool
-	EnableParamEnum             bool
-	EnableArtifacts             bool
-	DisableInlineSpec           string
-	EnableConciseResolverSyntax bool
-	EnableKubernetesSidecar     bool
+	VerificationNoMatchPolicy                string
+	EnableProvenanceInStatus                 bool
+	ResultExtractionMethod                   string
+	MaxResultSize                            int
+	SetSecurityContext                       bool
+	SetSecurityContextReadOnlyRootFilesystem bool
+	Coschedule                               string
+	EnableCELInWhenExpression                bool
+	EnableStepActions                        bool
+	EnableParamEnum                          bool
+	EnableArtifacts                          bool
+	DisableInlineSpec                        string
+	EnableConciseResolverSyntax              bool
+	EnableKubernetesSidecar                  bool
 }
 
 // GetFeatureFlagsConfigName returns the name of the configmap containing all
@@ -295,6 +299,9 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	if err := setFeature(setSecurityContextKey, DefaultSetSecurityContext, &tc.SetSecurityContext); err != nil {
 		return nil, err
 	}
+	if err := setFeature(setSecurityContextReadOnlyRootFilesystemKey, DefaultSetSecurityContextReadOnlyRootFilesystem, &tc.SetSecurityContextReadOnlyRootFilesystem); err != nil {
+		return nil, err
+	}
 	if err := setCoschedule(cfgMap, DefaultCoschedule, tc.DisableAffinityAssistant, &tc.Coschedule); err != nil {
 		return nil, err
 	}

pkg/apis/config/feature_flags_test.go

@@ -63,27 +63,28 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 		},
 		{
 			expectedConfig: &config.FeatureFlags{
-				DisableAffinityAssistant:         true,
-				RunningInEnvWithInjectedSidecars: false,
-				AwaitSidecarReadiness:            false,
-				RequireGitSSHSecretKnownHosts:    true,
-				EnableAPIFields:                  "alpha",
-				SendCloudEventsForRuns:           true,
-				EnforceNonfalsifiability:         "spire",
-				VerificationNoMatchPolicy:        config.FailNoMatchPolicy,
-				EnableProvenanceInStatus:         false,
-				ResultExtractionMethod:           "termination-message",
-				EnableKeepPodOnCancel:            true,
-				MaxResultSize:                    4096,
-				SetSecurityContext:               true,
-				Coschedule:                       config.CoscheduleDisabled,
-				EnableCELInWhenExpression:        true,
-				EnableStepActions:                true,
-				EnableArtifacts:                  true,
-				EnableParamEnum:                  true,
-				DisableInlineSpec:                "pipeline,pipelinerun,taskrun",
-				EnableConciseResolverSyntax:      true,
-				EnableKubernetesSidecar:          true,
+				DisableAffinityAssistant:                 true,
+				RunningInEnvWithInjectedSidecars:         false,
+				AwaitSidecarReadiness:                    false,
+				RequireGitSSHSecretKnownHosts:            true,
+				EnableAPIFields:                          "alpha",
+				SendCloudEventsForRuns:                   true,
+				EnforceNonfalsifiability:                 "spire",
+				VerificationNoMatchPolicy:                config.FailNoMatchPolicy,
+				EnableProvenanceInStatus:                 false,
+				ResultExtractionMethod:                   "termination-message",
+				EnableKeepPodOnCancel:                    true,
+				MaxResultSize:                            4096,
+				SetSecurityContext:                       true,
+				SetSecurityContextReadOnlyRootFilesystem: true,
+				Coschedule:                               config.CoscheduleDisabled,
+				EnableCELInWhenExpression:                true,
+				EnableStepActions:                        true,
+				EnableArtifacts:                          true,
+				EnableParamEnum:                          true,
+				DisableInlineSpec:                        "pipeline,pipelinerun,taskrun",
+				EnableConciseResolverSyntax:              true,
+				EnableKubernetesSidecar:                  true,
 			},
 			fileName: "feature-flags-all-flags-set",
 		},

pkg/apis/config/testdata/feature-flags-all-flags-set.yaml

@@ -31,6 +31,7 @@ data:
   trusted-resources-verification-no-match-policy: "fail"
   enable-provenance-in-status: "false"
   set-security-context: "true"
+  set-security-context-read-only-root-filesystem: "true"
   keep-pod-on-cancel: "true"
   enable-cel-in-whenexpression: "true"
   enable-step-actions: "true"

pkg/internal/affinityassistant/affinityassistant_types.go

@@ -17,6 +17,8 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/tektoncd/pipeline/pkg/pod"
+
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 )
 
@@ -54,3 +56,9 @@ func GetAffinityAssistantBehavior(ctx context.Context) (AffinityAssistantBehavio
 
 	return "", fmt.Errorf("unknown combination of disable-affinity-assistant: %v and coschedule: %v", disableAA, coschedule)
 }
+
+// ContainerConfig defines AffinityAssistant container configuration
+type ContainerConfig struct {
+	Image                 string
+	SecurityContextConfig pod.SecurityContextConfig
+}

pkg/pod/pod.go

@@ -60,8 +60,8 @@ const (
 	// SpiffeCsiDriver is the CSI storage plugin needed for injection of SPIFFE workload api.
 	SpiffeCsiDriver = "csi.spiffe.io"
 
-	// osSelectorLabel is the label Kubernetes uses for OS-specific workloads (https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-os)
-	osSelectorLabel = "kubernetes.io/os"
+	// OsSelectorLabel is the label Kubernetes uses for OS-specific workloads (https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-os)
+	OsSelectorLabel = "kubernetes.io/os"
 
 	// TerminationReasonTimeoutExceeded indicates a step execution timed out.
 	TerminationReasonTimeoutExceeded = "TimeoutExceeded"
@@ -127,27 +127,6 @@ var (
 
 	// MaxActiveDeadlineSeconds is a maximum permitted value to be used for a task with no timeout
 	MaxActiveDeadlineSeconds = int64(math.MaxInt32)
-
-	// Used in security context of pod init containers
-	allowPrivilegeEscalation = false
-	runAsNonRoot             = true
-
-	// The following security contexts allow init containers to run in namespaces
-	// with "restricted" pod security admission
-	// See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-	linuxSecurityContext = &corev1.SecurityContext{
-		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
-		RunAsNonRoot: &runAsNonRoot,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
-	}
-	windowsSecurityContext = &corev1.SecurityContext{
-		RunAsNonRoot: &runAsNonRoot,
-	}
 )
 
 // Builder exposes options to configure Pod construction from TaskSpecs/Runs.
@@ -178,6 +157,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	sidecarLogsResultsEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.ResultExtractionMethod == config.ResultExtractionMethodSidecarLogs
 	enableKeepPodOnCancel := featureFlags.EnableKeepPodOnCancel
 	setSecurityContext := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContext
+	setSecurityContextReadOnlyRootFilesystem := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContextReadOnlyRootFilesystem
 
 	// Add our implicit volumes first, so they can be overridden by the user if they prefer.
 	volumes = append(volumes, implicitVolumes...)
@@ -212,11 +192,17 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	if taskRun.Spec.ComputeResources != nil {
 		tasklevel.ApplyTaskLevelComputeResources(steps, taskRun.Spec.ComputeResources)
 	}
+
+	securityContextConfig := SecurityContextConfig{
+		SetSecurityContext:        setSecurityContext,
+		SetReadOnlyRootFilesystem: setSecurityContextReadOnlyRootFilesystem,
+	}
+
 	windows := usesWindows(taskRun)
 	if sidecarLogsResultsEnabled {
 		if taskSpec.Results != nil || artifactsPathReferenced(steps) {
 			// create a results sidecar
-			resultsSidecar, err := createResultsSidecar(taskSpec, b.Images.SidecarLogResultsImage, setSecurityContext, windows)
+			resultsSidecar, err := createResultsSidecar(taskSpec, b.Images.SidecarLogResultsImage, securityContextConfig, windows)
 			if err != nil {
 				return nil, err
 			}
@@ -231,15 +217,15 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	}
 
 	initContainers = []corev1.Container{
-		entrypointInitContainer(b.Images.EntrypointImage, steps, setSecurityContext, windows),
+		entrypointInitContainer(b.Images.EntrypointImage, steps, securityContextConfig, windows),
 	}
 
 	// Convert any steps with Script to command+args.
 	// If any are found, append an init container to initialize scripts.
 	if alphaAPIEnabled {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, b.Images.ShellImageWin, steps, sidecars, taskRun.Spec.Debug, setSecurityContext)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, b.Images.ShellImageWin, steps, sidecars, taskRun.Spec.Debug, securityContextConfig)
 	} else {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, "", steps, sidecars, nil, setSecurityContext)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, "", steps, sidecars, nil, securityContextConfig)
 	}
 
 	if scriptsInit != nil {
@@ -250,7 +236,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 		volumes = append(volumes, debugScriptsVolume, debugInfoVolume)
 	}
 	// Initialize any workingDirs under /workspace.
-	if workingDirInit := workingDirInit(b.Images.WorkingDirInitImage, stepContainers, setSecurityContext, windows); workingDirInit != nil {
+	if workingDirInit := workingDirInit(b.Images.WorkingDirInitImage, stepContainers, securityContextConfig, windows); workingDirInit != nil {
 		initContainers = append(initContainers, *workingDirInit)
 	}
 
@@ -695,18 +681,14 @@ func runVolume(i int) corev1.Volume {
 // This should effectively merge multiple command and volumes together.
 // If setSecurityContext is true, the init container will include a security context
 // allowing it to run in namespaces with restriced pod security admission.
-func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext, windows bool) corev1.Container {
+func entrypointInitContainer(image string, steps []v1.Step, securityContext SecurityContextConfig, windows bool) corev1.Container {
 	// Invoke the entrypoint binary in "cp mode" to copy itself
 	// into the correct location for later steps and initialize steps folder
 	command := []string{"/ko-app/entrypoint", "init", "/ko-app/entrypoint", entrypointBinary}
 	for i, s := range steps {
 		command = append(command, StepName(s.Name, i))
 	}
 	volumeMounts := []corev1.VolumeMount{binMount, internalStepsMount}
-	securityContext := linuxSecurityContext
-	if windows {
-		securityContext = windowsSecurityContext
-	}
 
 	// Rewrite steps with entrypoint binary. Append the entrypoint init
 	// container to place the entrypoint binary. Also add timeout flags
@@ -721,8 +703,8 @@ func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext,
 		Command:      command,
 		VolumeMounts: volumeMounts,
 	}
-	if setSecurityContext {
-		prepareInitContainer.SecurityContext = securityContext
+	if securityContext.SetSecurityContext {
+		prepareInitContainer.SecurityContext = securityContext.GetSecurityContext(windows)
 	}
 	return prepareInitContainer
 }
@@ -732,7 +714,7 @@ func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext,
 // whether it will run on a windows node, and whether the sidecar should include a security context
 // that will allow it to run in namespaces with "restricted" pod security admission.
 // It will also provide arguments to the binary that allow it to surface the step results.
-func createResultsSidecar(taskSpec v1.TaskSpec, image string, setSecurityContext, windows bool) (v1.Sidecar, error) {
+func createResultsSidecar(taskSpec v1.TaskSpec, image string, securityContext SecurityContextConfig, windows bool) (v1.Sidecar, error) {
 	names := make([]string, 0, len(taskSpec.Results))
 	for _, r := range taskSpec.Results {
 		names = append(names, r.Name)
@@ -775,13 +757,11 @@ func createResultsSidecar(taskSpec v1.TaskSpec, image string, setSecurityContext
 		Image:   image,
 		Command: command,
 	}
-	securityContext := linuxSecurityContext
-	if windows {
-		securityContext = windowsSecurityContext
-	}
-	if setSecurityContext {
-		sidecar.SecurityContext = securityContext
+
+	if securityContext.SetSecurityContext {
+		sidecar.SecurityContext = securityContext.GetSecurityContext(windows)
 	}
+
 	return sidecar, nil
 }
 
@@ -792,7 +772,7 @@ func usesWindows(tr *v1.TaskRun) bool {
 	if tr.Spec.PodTemplate == nil || tr.Spec.PodTemplate.NodeSelector == nil {
 		return false
 	}
-	osSelector := tr.Spec.PodTemplate.NodeSelector[osSelectorLabel]
+	osSelector := tr.Spec.PodTemplate.NodeSelector[OsSelectorLabel]
 	return osSelector == "windows"
 }