knative-serving: backport knative/serving#14363

elukey · elukey · commit a6725fcc3f29 · 2025-02-27T10:24:38.000+01:00
The pull request is needed to force Knative to set runAsNonRoot
when secure-pod-defaults is true. The option forces knative to
create the user pods with all the safest security options to pass
the PSS restriction policy, but at the moment it is lacking
runAsNonRoot forced to true.

Note: I haven't backported the whole patch since part of it overlapped
with a previous one for queue.go, where seccomp's defaults were
set. The same code was committed in different pull requests, so I just
removed the bit already there to allow patch to avoid error/warnings.

Bug: T369493
Change-Id: Iceb1ac2d83f298ef2a834e24a8fdc8a6f1df4a28
diff --git a/images/knative/serving/activator/changelog b/images/knative/serving/activator/changelog
@@ -1,3 +1,9 @@
+knative-serving-activator (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-activator (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/autoscaler/changelog b/images/knative/serving/autoscaler/changelog
@@ -1,3 +1,9 @@
+knative-serving-autoscaler (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-autoscaler (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/build/Dockerfile.template b/images/knative/serving/build/Dockerfile.template
@@ -10,6 +10,7 @@ COPY pull_13395.patch /tmp/pull_13395.patch
 COPY pull_13398.patch /tmp/pull_13398.patch
 COPY pull_13401.patch /tmp/pull_13401.patch
 COPY pull_13402.patch /tmp/pull_13402.patch
+COPY pull_14363.patch /tmp/pull_14363.patch
 RUN chmod o+rx /bin/builder.sh
 
 USER nobody
@@ -22,5 +23,6 @@ RUN mkdir -p {{ repo_base }} \
   && patch -l -p1 < /tmp/pull_13395.patch \
   && patch -l -p1 < /tmp/pull_13398.patch \
   && patch -l -p1 < /tmp/pull_13401.patch \
-  && patch -l -p1 < /tmp/pull_13402.patch
+  && patch -l -p1 < /tmp/pull_13402.patch \
+  && patch -l -p1 < /tmp/pull_14363.patch
 RUN /bin/builder.sh {{ repo_base }} serving
diff --git a/images/knative/serving/build/changelog b/images/knative/serving/build/changelog
@@ -1,3 +1,9 @@
+knative-build (1.7.2-6) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-build (1.7.2-5-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/build/pull_14363.patch b/images/knative/serving/build/pull_14363.patch
@@ -0,0 +1,86 @@
+From 72613d23483353ed27d8c40d0ae6ebf0ff986694 Mon Sep 17 00:00:00 2001
+From: Clay Kauzlaric <ckauzlaric@vmware.com>
+Date: Wed, 13 Sep 2023 12:57:30 -0400
+Subject: [PATCH 2/3] run as non root by default
+
+---
+ pkg/apis/serving/v1/revision_defaults.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go
+index 8acbf3446fd1..4805f5b1fe35 100644
+--- a/pkg/apis/serving/v1/revision_defaults.go
++++ b/pkg/apis/serving/v1/revision_defaults.go
+@@ -208,6 +208,10 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
+ 		}
+ 	}
+ 
++	if psc.RunAsNonRoot == nil {
++		updatedSC.RunAsNonRoot = ptr.Bool(true)
++	}
++
+ 	if *updatedSC != (corev1.SecurityContext{}) {
+ 		container.SecurityContext = updatedSC
+ 	}
+
+From 2cf6abf1cc3c884e13d4fab9dc03bbe8b7d3850e Mon Sep 17 00:00:00 2001
+From: Clay Kauzlaric <ckauzlaric@vmware.com>
+Date: Wed, 13 Sep 2023 16:26:53 -0400
+Subject: [PATCH 3/3] update tests to expect new default run as nonroot
+
+---
+ pkg/apis/serving/v1/revision_defaults_test.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go
+index 332fecfb4d9d..0fe5e65079b7 100644
+--- a/pkg/apis/serving/v1/revision_defaults_test.go
++++ b/pkg/apis/serving/v1/revision_defaults_test.go
+@@ -900,6 +900,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
+ 						Resources:      defaultResources,
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(false),
+ 							SeccompProfile: &corev1.SeccompProfile{
+ 								Type: corev1.SeccompProfileTypeRuntimeDefault,
+@@ -913,6 +914,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "sidecar",
+ 						Resources: defaultResources,
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(false),
+ 							SeccompProfile: &corev1.SeccompProfile{
+ 								Type: corev1.SeccompProfileTypeRuntimeDefault,
+@@ -925,6 +927,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "special-sidecar",
+ 						Resources: defaultResources,
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(true),
+ 							SeccompProfile: &corev1.SeccompProfile{
+ 								Type: corev1.SeccompProfileTypeRuntimeDefault,
+@@ -938,6 +941,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
+ 						Name: "special-init",
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(true),
+ 							SeccompProfile: &corev1.SeccompProfile{
+ 								Type:             corev1.SeccompProfileTypeLocalhost,
+@@ -1000,6 +1004,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
+ 						Resources:      defaultResources,
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(false),
+ 							Capabilities: &corev1.Capabilities{
+ 								Drop: []corev1.Capability{"ALL"},
+@@ -1009,6 +1014,7 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
+ 						Name: "init",
+ 						SecurityContext: &corev1.SecurityContext{
++							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(false),
+ 							Capabilities: &corev1.Capabilities{
+ 								Drop: []corev1.Capability{"ALL"},
diff --git a/images/knative/serving/controller/changelog b/images/knative/serving/controller/changelog
@@ -1,3 +1,9 @@
+knative-serving-controller (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-controller (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/domain-mapping-webhook/changelog b/images/knative/serving/domain-mapping-webhook/changelog
@@ -1,3 +1,9 @@
+knative-serving-domain-mapping-webhook (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-domain-mapping-webhook (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/domain-mapping/changelog b/images/knative/serving/domain-mapping/changelog
@@ -1,3 +1,9 @@
+knative-serving-domain-mapping (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14364.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-domain-mapping (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/queue/changelog b/images/knative/serving/queue/changelog
@@ -1,3 +1,9 @@
+knative-serving-queue (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-queue (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
diff --git a/images/knative/serving/webhook/changelog b/images/knative/serving/webhook/changelog
@@ -1,3 +1,9 @@
+knative-serving-webhook (1.7.2-7) wikimedia; urgency=medium
+
+  * Backport https://github.com/knative/serving/pull/14363.
+
+ -- Luca Toscano <ltoscano@wikimedia.org>  Wed, 26 Feb 2025 16:24:00 +0100
+
 knative-serving-webhook (1.7.2-6-20250223) wikimedia; urgency=medium
 
   * Weekly rebuild.
