From 7df1279f45e0981a06c3af705873c4d1d797404d Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Thu, 16 May 2024 10:11:17 +0200 Subject: [PATCH 1/3] fix(config): read secret key from env (#615) Make sure the secret key is propagated to the Flask app, instead of incorrectly using the default one. --- reana_workflow_controller/config.py | 3 +++ reana_workflow_controller/factory.py | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/reana_workflow_controller/config.py b/reana_workflow_controller/config.py index 060ec3a2..d4be5a64 100644 --- a/reana_workflow_controller/config.py +++ b/reana_workflow_controller/config.py @@ -22,6 +22,9 @@ def _env_vars_dict_to_k8s_list(env_vars): return [{"name": name, "value": str(value)} for name, value in env_vars.items()] +SECRET_KEY = os.getenv("REANA_SECRET_KEY", "CHANGE_ME") +"""Secret key used for the application user sessions.""" + SQLALCHEMY_TRACK_MODIFICATIONS = False """Track modifications flag.""" diff --git a/reana_workflow_controller/factory.py b/reana_workflow_controller/factory.py index d728651b..e37d0313 100644 --- a/reana_workflow_controller/factory.py +++ b/reana_workflow_controller/factory.py @@ -50,7 +50,6 @@ def create_app(config_mapping=None): if config_mapping: app.config.from_mapping(config_mapping) - app.secret_key = "super secret key" # Register API routes from reana_workflow_controller.rest import ( workflows_session, From cf4ee734788da33f15a80e1fc1f0b3233ea5a007 Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Thu, 23 May 2024 15:16:18 +0200 Subject: [PATCH 2/3] fix(manager): pass RabbitMQ connection details to workflow engine (#615) Make sure that workflow engines are able to connect to RabbitMQ to be able to publish workflow status update messages. --- reana_workflow_controller/config.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/reana_workflow_controller/config.py b/reana_workflow_controller/config.py index d4be5a64..b47fad45 100644 --- a/reana_workflow_controller/config.py +++ b/reana_workflow_controller/config.py @@ -11,7 +11,11 @@ import os import json -from reana_commons.config import REANA_COMPONENT_PREFIX, SHARED_VOLUME_PATH +from reana_commons.config import ( + MQ_CONNECTION_STRING, + REANA_COMPONENT_PREFIX, + SHARED_VOLUME_PATH, +) from reana_db.models import JobStatus, RunStatus from reana_workflow_controller.version import __version__ @@ -122,7 +126,8 @@ def _env_vars_dict_to_k8s_list(env_vars): """ WORKFLOW_ENGINE_COMMON_ENV_VARS = [ - {"name": "SHARED_VOLUME_PATH", "value": SHARED_VOLUME_PATH} + {"name": "SHARED_VOLUME_PATH", "value": SHARED_VOLUME_PATH}, + {"name": "RABBIT_MQ", "value": MQ_CONNECTION_STRING}, ] """Common to all workflow engines environment variables.""" From 24563e568044e29d4399f78d8c081d144f116761 Mon Sep 17 00:00:00 2001 From: Stavros Date: Wed, 14 Aug 2024 14:07:46 +0200 Subject: [PATCH 3/3] fix(manager): avoid privilege escalation in Kubernetes jobs (#615) Configure the security context of workflow orchestrator jobs to disallow privilege escalation. --- reana_workflow_controller/k8s.py | 4 +++- reana_workflow_controller/workflow_run_manager.py | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/reana_workflow_controller/k8s.py b/reana_workflow_controller/k8s.py index 8d343003..31c3cf46 100644 --- a/reana_workflow_controller/k8s.py +++ b/reana_workflow_controller/k8s.py @@ -221,7 +221,9 @@ def add_environment_variable(self, name, value): def add_run_with_root_permissions(self): """Run interactive session with root.""" - security_context = client.V1SecurityContext(run_as_user=0) + security_context = client.V1SecurityContext( + run_as_user=0, allow_privilege_escalation=False + ) self._session_container.security_context = security_context def add_user_secrets(self): diff --git a/reana_workflow_controller/workflow_run_manager.py b/reana_workflow_controller/workflow_run_manager.py index 3eee0b93..df4ca6d4 100644 --- a/reana_workflow_controller/workflow_run_manager.py +++ b/reana_workflow_controller/workflow_run_manager.py @@ -557,6 +557,7 @@ def _create_job_spec( workflow_engine_container.security_context = client.V1SecurityContext( run_as_group=WORKFLOW_RUNTIME_USER_GID, run_as_user=WORKFLOW_RUNTIME_USER_UID, + allow_privilege_escalation=False, ) workflow_engine_container.volume_mounts = [workspace_mount]