mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-24 10:07:21 +02:00
Remove all default privileged plugins (#4053)
This commit is contained in:
parent
6feab0093f
commit
32d1ec7cec
@ -185,9 +185,12 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
|
||||
volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath))
|
||||
}
|
||||
|
||||
privilegedPlugins := c.StringSlice("plugins-privileged")
|
||||
|
||||
// lint the yaml file
|
||||
err = linter.New(
|
||||
linter.WithTrusted(true),
|
||||
linter.PrivilegedPlugins(privilegedPlugins),
|
||||
linter.WithTrustedClonePlugins(constant.TrustedClonePlugins),
|
||||
).Lint([]*linter.WorkflowConfig{{
|
||||
File: path.Base(file),
|
||||
@ -205,7 +208,7 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
|
||||
// compiles the yaml file
|
||||
compiled, err := compiler.New(
|
||||
compiler.WithEscalated(
|
||||
c.StringSlice("privileged")...,
|
||||
privilegedPlugins...,
|
||||
),
|
||||
compiler.WithVolumes(volumes...),
|
||||
compiler.WithWorkspace(
|
||||
|
@ -18,8 +18,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/urfave/cli/v3"
|
||||
|
||||
"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
|
||||
)
|
||||
|
||||
var flags = []cli.Flag{
|
||||
@ -58,9 +56,9 @@ var flags = []cli.Flag{
|
||||
Hidden: true,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "privileged",
|
||||
Usage: "privileged plugins",
|
||||
Value: constant.PrivilegedPlugins,
|
||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||
Name: "plugins-privileged",
|
||||
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Sources: cli.EnvVars("WOODPECKER_BACKEND"),
|
||||
|
@ -37,6 +37,11 @@ var Command = &cli.Command{
|
||||
ArgsUsage: "[path/to/.woodpecker.yaml]",
|
||||
Action: lint,
|
||||
Flags: []cli.Flag{
|
||||
&cli.StringSliceFlag{
|
||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||
Name: "plugins-privileged",
|
||||
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
||||
Name: "plugins-trusted-clone",
|
||||
@ -106,6 +111,7 @@ func lintFile(_ context.Context, c *cli.Command, file string) error {
|
||||
// TODO: lint multiple files at once to allow checks for sth like "depends_on" to work
|
||||
err = linter.New(
|
||||
linter.WithTrusted(true),
|
||||
linter.PrivilegedPlugins(c.StringSlice("plugins-privileged")),
|
||||
linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")),
|
||||
).Lint([]*linter.WorkflowConfig{config})
|
||||
if err != nil {
|
||||
|
@ -160,10 +160,9 @@ var flags = append([]cli.Flag{
|
||||
Value: time.Hour * 72,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Sources: cli.EnvVars("WOODPECKER_ESCALATE"),
|
||||
Name: "escalate",
|
||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||
Name: "plugins-privileged",
|
||||
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||
Value: constant.PrivilegedPlugins,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
||||
|
@ -224,12 +224,7 @@ func setupEvilGlobals(ctx context.Context, c *cli.Command, s store.Store) error
|
||||
server.Config.Pipeline.Volumes = c.StringSlice("volume")
|
||||
server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger")
|
||||
server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check")
|
||||
|
||||
// list has default value but should be able to be set to zero
|
||||
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("escalate")
|
||||
if val, set := os.LookupEnv("WOODPECKER_ESCALATE"); set && val == "" {
|
||||
server.Config.Pipeline.PrivilegedPlugins = []string{}
|
||||
}
|
||||
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("plugins-privileged")
|
||||
|
||||
// prometheus
|
||||
server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")
|
||||
|
@ -348,9 +348,7 @@ Context: when someone does log into Woodpecker, a temporary session token is cre
|
||||
As long as the session is valid (until it expires or log-out),
|
||||
a user can log into Woodpecker, without re-authentication.
|
||||
|
||||
### `WOODPECKER_ESCALATE`
|
||||
|
||||
> Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
|
||||
### `WOODPECKER_PLUGINS_PRIVILEGED`
|
||||
|
||||
Docker images to run in privileged mode. Only change if you are sure what you do!
|
||||
|
||||
|
@ -4,9 +4,10 @@ Some versions need some changes to the server configuration or the pipeline conf
|
||||
|
||||
## `next`
|
||||
|
||||
- Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED`
|
||||
- Remove all default privileged plugins ([re-add plugins to the list via config if needed](./30-administration/10-server-config.md#woodpecker_plugins_privileged)).
|
||||
- `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
|
||||
- Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
|
||||
- Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
|
||||
- Secret filters for plugins now check against tag if specified
|
||||
- Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
|
||||
- Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.
|
||||
|
@ -168,8 +168,8 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
|
||||
|
||||
func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
|
||||
// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
|
||||
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr") {
|
||||
msg := "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead"
|
||||
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") {
|
||||
msg := "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED"
|
||||
// check first if user did not add them back
|
||||
if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) {
|
||||
return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)
|
||||
|
@ -171,7 +171,7 @@ func TestLintErrors(t *testing.T) {
|
||||
},
|
||||
{
|
||||
from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
|
||||
want: "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead",
|
||||
want: "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED",
|
||||
},
|
||||
{
|
||||
from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",
|
||||
|
@ -14,12 +14,6 @@
|
||||
|
||||
package constant
|
||||
|
||||
// PrivilegedPlugins can be changed by 'WOODPECKER_ESCALATE' at runtime.
|
||||
var PrivilegedPlugins = []string{
|
||||
"docker.io/woodpeckerci/plugin-docker-buildx",
|
||||
"codeberg.org/woodpecker-plugins/docker-buildx",
|
||||
}
|
||||
|
||||
// DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default
|
||||
// folders are indicated by supplying a trailing slash.
|
||||
var DefaultConfigOrder = [...]string{
|
||||
|
Loading…
Reference in New Issue
Block a user