1
0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-12-24 10:07:21 +02:00

Remove all default privileged plugins (#4053)

This commit is contained in:
6543 2024-09-02 10:41:20 +02:00 committed by GitHub
parent 6feab0093f
commit 32d1ec7cec
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 22 additions and 28 deletions

View File

@ -185,9 +185,12 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath))
}
privilegedPlugins := c.StringSlice("plugins-privileged")
// lint the yaml file
err = linter.New(
linter.WithTrusted(true),
linter.PrivilegedPlugins(privilegedPlugins),
linter.WithTrustedClonePlugins(constant.TrustedClonePlugins),
).Lint([]*linter.WorkflowConfig{{
File: path.Base(file),
@ -205,7 +208,7 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
// compiles the yaml file
compiled, err := compiler.New(
compiler.WithEscalated(
c.StringSlice("privileged")...,
privilegedPlugins...,
),
compiler.WithVolumes(volumes...),
compiler.WithWorkspace(

View File

@ -18,8 +18,6 @@ import (
"time"
"github.com/urfave/cli/v3"
"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
)
var flags = []cli.Flag{
@ -58,9 +56,9 @@ var flags = []cli.Flag{
Hidden: true,
},
&cli.StringSliceFlag{
Name: "privileged",
Usage: "privileged plugins",
Value: constant.PrivilegedPlugins,
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
Name: "plugins-privileged",
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
},
&cli.StringFlag{
Sources: cli.EnvVars("WOODPECKER_BACKEND"),

View File

@ -37,6 +37,11 @@ var Command = &cli.Command{
ArgsUsage: "[path/to/.woodpecker.yaml]",
Action: lint,
Flags: []cli.Flag{
&cli.StringSliceFlag{
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
Name: "plugins-privileged",
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
},
&cli.StringSliceFlag{
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
Name: "plugins-trusted-clone",
@ -106,6 +111,7 @@ func lintFile(_ context.Context, c *cli.Command, file string) error {
// TODO: lint multiple files at once to allow checks for sth like "depends_on" to work
err = linter.New(
linter.WithTrusted(true),
linter.PrivilegedPlugins(c.StringSlice("plugins-privileged")),
linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")),
).Lint([]*linter.WorkflowConfig{config})
if err != nil {

View File

@ -160,10 +160,9 @@ var flags = append([]cli.Flag{
Value: time.Hour * 72,
},
&cli.StringSliceFlag{
Sources: cli.EnvVars("WOODPECKER_ESCALATE"),
Name: "escalate",
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
Name: "plugins-privileged",
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
Value: constant.PrivilegedPlugins,
},
&cli.StringSliceFlag{
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),

View File

@ -224,12 +224,7 @@ func setupEvilGlobals(ctx context.Context, c *cli.Command, s store.Store) error
server.Config.Pipeline.Volumes = c.StringSlice("volume")
server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger")
server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check")
// list has default value but should be able to be set to zero
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("escalate")
if val, set := os.LookupEnv("WOODPECKER_ESCALATE"); set && val == "" {
server.Config.Pipeline.PrivilegedPlugins = []string{}
}
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("plugins-privileged")
// prometheus
server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")

View File

@ -348,9 +348,7 @@ Context: when someone does log into Woodpecker, a temporary session token is cre
As long as the session is valid (until it expires or log-out),
a user can log into Woodpecker, without re-authentication.
### `WOODPECKER_ESCALATE`
> Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
### `WOODPECKER_PLUGINS_PRIVILEGED`
Docker images to run in privileged mode. Only change if you are sure what you do!

View File

@ -4,9 +4,10 @@ Some versions need some changes to the server configuration or the pipeline conf
## `next`
- Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED`
- Remove all default privileged plugins ([re-add plugins to the list via config if needed](./30-administration/10-server-config.md#woodpecker_plugins_privileged)).
- `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
- Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
- Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
- Secret filters for plugins now check against tag if specified
- Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
- Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.

View File

@ -168,8 +168,8 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr") {
msg := "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead"
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") {
msg := "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED"
// check first if user did not add them back
if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) {
return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)

View File

@ -171,7 +171,7 @@ func TestLintErrors(t *testing.T) {
},
{
from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
want: "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead",
want: "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED",
},
{
from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",

View File

@ -14,12 +14,6 @@
package constant
// PrivilegedPlugins can be changed by 'WOODPECKER_ESCALATE' at runtime.
var PrivilegedPlugins = []string{
"docker.io/woodpeckerci/plugin-docker-buildx",
"codeberg.org/woodpecker-plugins/docker-buildx",
}
// DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default
// folders are indicated by supplying a trailing slash.
var DefaultConfigOrder = [...]string{