wip: enforcement runtime flag

go-vela · wass3r · Nov 9, 2022 · Oct 12, 2022 · Oct 12, 2022 · Oct 12, 2022
commit 498277816686690c6f19fefb6e80a9e2378cf74f
@@ -52,16 +52,16 @@ func (w *Worker) exec(index int) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/worker/runtime?tab=doc#New
 	w.Runtime, err = runtime.New(&runtime.Setup{
-		Logger:           logger,
-		Mock:             w.Config.Mock,
-		Driver:           w.Config.Runtime.Driver,
-		ConfigFile:       w.Config.Runtime.ConfigFile,
-		HostVolumes:      w.Config.Runtime.HostVolumes,
-		Namespace:        w.Config.Runtime.Namespace,
-		PodsTemplateName: w.Config.Runtime.PodsTemplateName,
-		PodsTemplateFile: w.Config.Runtime.PodsTemplateFile,
-		PrivilegedImages: w.Config.Runtime.PrivilegedImages,
-		EnableTrusted:    w.Config.Runtime.EnableTrusted,
+		Logger:              logger,
+		Mock:                w.Config.Mock,
+		Driver:              w.Config.Runtime.Driver,
+		ConfigFile:          w.Config.Runtime.ConfigFile,
+		HostVolumes:         w.Config.Runtime.HostVolumes,
+		Namespace:           w.Config.Runtime.Namespace,
+		PodsTemplateName:    w.Config.Runtime.PodsTemplateName,
+		PodsTemplateFile:    w.Config.Runtime.PodsTemplateFile,
+		PrivilegedImages:    w.Config.Runtime.PrivilegedImages,
+		EnforceTrustedRepos: w.Config.Runtime.EnforceTrustedRepos,
 	})
 	if err != nil {
 		return err

@@ -104,14 +104,14 @@ func run(c *cli.Context) error {
 			},
 			// runtime configuration
 			Runtime: &runtime.Setup{
-				Driver:           c.String("runtime.driver"),
-				ConfigFile:       c.String("runtime.config"),
-				Namespace:        c.String("runtime.namespace"),
-				PodsTemplateName: c.String("runtime.pods-template-name"),
-				PodsTemplateFile: c.Path("runtime.pods-template-file"),
-				HostVolumes:      c.StringSlice("runtime.volumes"),
-				PrivilegedImages: c.StringSlice("runtime.privileged-images"),
-				EnableTrusted:    c.Bool("runtime.enable-trusted"),
+				Driver:              c.String("runtime.driver"),
+				ConfigFile:          c.String("runtime.config"),
+				Namespace:           c.String("runtime.namespace"),
+				PodsTemplateName:    c.String("runtime.pods-template-name"),
+				PodsTemplateFile:    c.Path("runtime.pods-template-file"),
+				HostVolumes:         c.StringSlice("runtime.volumes"),
+				PrivilegedImages:    c.StringSlice("runtime.privileged-images"),
+				EnforceTrustedRepos: c.Bool("runtime.enforce-trusted-repos"),
 			},
 			// queue configuration
 			Queue: &queue.Setup{
@@ -136,8 +136,7 @@ func run(c *cli.Context) error {
 		},
 		Executors: make(map[int]executor.Engine),
 	}
-	logrus.Tracef("runtime setup trusted flag: %v", w.Config.Runtime.EnableTrusted)
-	logrus.Tracef("runtime.enable-trusted flag picked up from CLI config: %v", c.Bool("runtime.enable-trusted"))
+
 	// set the worker address if no flag was provided
 	if len(w.Config.API.Address.String()) == 0 {
 		w.Config.API.Address, _ = url.Parse(fmt.Sprintf("http://%s", hostname))

diff --git a/runtime/docker/container.go b/runtime/docker/container.go
@@ -13,7 +13,6 @@ import (
 
 	"github.com/go-vela/types/constants"
 	"github.com/go-vela/types/library"
-	"github.com/sirupsen/logrus"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -149,11 +148,9 @@ func (c *client) RunContainer(ctx context.Context, ctn *pipeline.Container, b *p
 			return err
 		}
 
-		logrus.Tracef("running priv container with enableTrusted: %v", c.config.EnableTrusted)
-
 		if privileged {
 			// ensure repo is trusted and therefore allowed to run privileged containers
-			if c.config.EnableTrusted && (r == nil || !r.GetTrusted()) {
+			if c.config.EnforceTrustedRepos && (r == nil || !r.GetTrusted()) {
 				return errors.New("repo must be trusted to run privileged images")
 			}
 

diff --git a/runtime/docker/docker.go b/runtime/docker/docker.go
@@ -29,10 +29,10 @@ const Version = "v1.40"
 type config struct {
 	// specifies a list of privileged images to use for the Docker client
 	Images []string
+	// EnforceTrustedRepos sets whether to enforce trusted repo restrictions on privileged images for the Docker client
+	EnforceTrustedRepos bool
 	// specifies a list of host volumes to use for the Docker client
 	Volumes []string
-	// enable trusted repo restrictions
-	EnableTrusted bool
 }
 
 type client struct {

diff --git a/runtime/docker/opts.go b/runtime/docker/opts.go
@@ -50,13 +50,13 @@ func WithPrivilegedImages(images []string) ClientOpt {
 	}
 }
 
-// WithEnableTrusted sets FILL ME.
-func WithEnableTrusted(enable bool) ClientOpt {
+// WithEnforceTrustedRepos sets whether to enforce trusted repo restrictions on privileged images in the runtime client for Docker.
+func WithEnforceTrustedRepos(enforce bool) ClientOpt {
 	return func(c *client) error {
-		c.Logger.Trace("configuring privileged restrictions in docker runtime client")
+		c.Logger.Trace("configuring trusted repo restrictions on privileged images in docker runtime client")
 
-		// set the runtime privileged trusted restrictions in the docker client
-		c.config.EnableTrusted = enable
+		// set configuration for using trusted repo restrictions in the docker client
+		c.config.EnforceTrustedRepos = enforce
 
 		return nil
 	}

diff --git a/runtime/flags.go b/runtime/flags.go
@@ -61,13 +61,11 @@ var Flags = []cli.Flag{
 		Name:     "runtime.volumes",
 		Usage:    "list of host volumes to mount for the runtime",
 	},
-	&cli.BoolFlag{ // overaching feature flag to enable trusted repo column to actually mean something
-		// enabling this will restrict privileged images to not run unless the repo 'trusted' field is 'true'
-		// protect privileged container execution using repo.trusted field
-		EnvVars:  []string{"VELA_RUNTIME_ENABLE_TRUSTED", "RUNTIME_ENABLE_TRUSTED"},
-		FilePath: "/vela/runtime/enable_trusted",
-		Name:     "runtime.enable-trusted",
-		Usage:    "enable trusted repo restrictions for privileged images",
+	&cli.BoolFlag{
+		EnvVars:  []string{"VELA_RUNTIME_ENFORCE_TRUSTED_REPOS", "RUNTIME_ENFORCE_TRUSTED_REPOS"},
+		FilePath: "/vela/runtime/enforce_trusted_repos",
+		Name:     "runtime.enforce-trusted-repos",
+		Usage:    "enforce trusted repo restrictions for privileged images",
 		Value:    false,
 	},
 }
diff --git a/runtime/kubernetes/container.go b/runtime/kubernetes/container.go
@@ -169,7 +169,7 @@ func (c *client) SetupContainer(ctx context.Context, ctn *pipeline.Container, r
 		}
 
 		// ensure repo is trusted and therefore allowed to run privileged containers
-		if c.config.EnableTrusted && (r == nil || !r.GetTrusted()) {
+		if c.config.EnforceTrustedRepos && (r == nil || !r.GetTrusted()) {
 			return errors.New("repo must be trusted to run privileged images")
 		}
 

diff --git a/runtime/kubernetes/kubernetes.go b/runtime/kubernetes/kubernetes.go
@@ -26,8 +26,8 @@ type config struct {
 	Namespace string
 	// specifies a list of privileged images to use for the Kubernetes client
 	Images []string
-	// EnableTrusted FILL ME
-	EnableTrusted bool
+	// EnforceTrustedRepos sets whether to enforce trusted repo restrictions on privileged images for the Kubernetes client
+	EnforceTrustedRepos bool
 	// specifies a list of host volumes to use for the Kubernetes client
 	Volumes []string
 	// PipelinePodsTemplateName has the name of the PipelinePodTemplate to retrieve from the Namespace

diff --git a/runtime/kubernetes/opts.go b/runtime/kubernetes/opts.go
@@ -124,13 +124,13 @@ func WithPrivilegedImages(images []string) ClientOpt {
 	}
 }
 
-// WithEnableTrusted sets  FILL ME.
-func WithEnableTrusted(enable bool) ClientOpt {
+// WithEnforceTrustedRepos sets whether to enforce trusted repo restrictions on privileged images in the runtime client for Kubernetes.
+func WithEnforceTrustedRepos(enable bool) ClientOpt {
 	return func(c *client) error {
 		c.Logger.Trace("configuring FILLME in kubernetes runtime client")
 
 		// set the runtime FILLME in the kubernetes client
-		c.config.EnableTrusted = enable
+		c.config.EnforceTrustedRepos = enable
 
 		return nil
 	}

diff --git a/runtime/setup.go b/runtime/setup.go
@@ -42,21 +42,19 @@ type Setup struct {
 	PodsTemplateFile string
 	// specifies a list of privileged images to use for the runtime client
 	PrivilegedImages []string
-	// specifies settings for restrictions on trusted repos
-	EnableTrusted bool
+	// EnforceTrustedRepos sets whether to enforce trusted repo restrictions on privileged images for the runtime client
+	EnforceTrustedRepos bool
 }
 
 // Docker creates and returns a Vela engine capable of
 // integrating with a Docker runtime environment.
 func (s *Setup) Docker() (Engine, error) {
 	logrus.Trace("creating docker runtime client from setup")
 
-	logrus.Trace("creating docker runtime using enable trusted %v", s.EnableTrusted)
-
 	opts := []docker.ClientOpt{
 		docker.WithHostVolumes(s.HostVolumes),
 		docker.WithPrivilegedImages(s.PrivilegedImages),
-		docker.WithEnableTrusted(s.EnableTrusted),
+		docker.WithEnforceTrustedRepos(s.EnforceTrustedRepos),
 		docker.WithLogger(s.Logger),
 	}
 
@@ -84,7 +82,7 @@ func (s *Setup) Kubernetes() (Engine, error) {
 		kubernetes.WithNamespace(s.Namespace),
 		kubernetes.WithPodsTemplate(s.PodsTemplateName, s.PodsTemplateFile),
 		kubernetes.WithPrivilegedImages(s.PrivilegedImages),
-		kubernetes.WithEnableTrusted(s.EnableTrusted),
+		kubernetes.WithEnforceTrustedRepos(s.EnforceTrustedRepos),
 		kubernetes.WithLogger(s.Logger),
 	}