Add set-security-context-read-only-root-filesystem as a feature flag

Prior to this change it was not possible to set readOnlyRootFilesystem for tekton pipeline containers.

This change allows users to set readOnlyRootFilesystem in container securityContext for all containers.
Aligns tekton with industry best practices for kuberenetes security, such as Azure Kubernetes Services deployment safeguards.

config/config-feature-flags.yaml

@@ -117,6 +117,8 @@ data:
   # This allows TaskRuns to run in namespaces with "restricted" pod security standards.
   # Not all Kubernetes implementations support this option.
   set-security-context: "false"
+  # Setting this flag to "true" will set root filesystemt to readonly for containers injected by Tekton into TaskRuns.
+  set-security-context-read-only-root-filesystem: "false"
   # Setting this flag to "true" will keep pod on cancellation
   # allowing examination of the logs on the pods from cancelled taskruns
   keep-pod-on-cancel: "false"

docs/additional-configs.md

@@ -360,6 +360,11 @@ Defaults to "ignore".
 - `set-security-context`: Set this flag to `true` to set a security context for containers injected by Tekton that will allow TaskRun pods
 to run in namespaces with `restricted` pod security admission. By default, this is set to `false`.
 
+- `set-security-context-read-only-root-filesystem`: Set this flag to `true` to enable `readOnlyRootFilesystem` in the
+  security context for containers injected by Tekton. This makes the root filesystem of the container read-only,
+  enhancing security. Note that this requires `set-security-context` to be enabled. By default, this flag is set
+  to `false`. Note: This feature does not work in windows as it is not supported there, [Comparison with linux](https://kubernetes.io/docs/concepts/windows/intro/#compatibility-linux-similarities). 
+
 ### Alpha Features
 
 Alpha features in the following table are still in development and their syntax is subject to change.

pkg/apis/config/feature_flags.go

@@ -94,6 +94,8 @@ const (
 	DefaultMaxResultSize = 4096
 	// DefaultSetSecurityContext is the default value for "set-security-context"
 	DefaultSetSecurityContext = false
+	// DefaultSetSecurityContextReadOnlyRootFilesystem is the default value for "set-security-context-read-only-root-filesystem"
+	DefaultSetSecurityContextReadOnlyRootFilesystem = false
 	// DefaultCoschedule is the default value for coschedule
 	DefaultCoschedule = CoscheduleWorkspaces
 	// KeepPodOnCancel is the flag used to enable cancelling a pod using the entrypoint, and keep pod on cancel
@@ -123,15 +125,16 @@ const (
 	awaitSidecarReadinessKey            = "await-sidecar-readiness"
 	requireGitSSHSecretKnownHostsKey    = "require-git-ssh-secret-known-hosts" //nolint:gosec
 	// enableTektonOCIBundles              = "enable-tekton-oci-bundles"
-	enableAPIFields           = "enable-api-fields"
-	sendCloudEventsForRuns    = "send-cloudevents-for-runs"
-	enforceNonfalsifiability  = "enforce-nonfalsifiability"
-	verificationNoMatchPolicy = "trusted-resources-verification-no-match-policy"
-	enableProvenanceInStatus  = "enable-provenance-in-status"
-	resultExtractionMethod    = "results-from"
-	maxResultSize             = "max-result-size"
-	setSecurityContextKey     = "set-security-context"
-	coscheduleKey             = "coschedule"
+	enableAPIFields                             = "enable-api-fields"
+	sendCloudEventsForRuns                      = "send-cloudevents-for-runs"
+	enforceNonfalsifiability                    = "enforce-nonfalsifiability"
+	verificationNoMatchPolicy                   = "trusted-resources-verification-no-match-policy"
+	enableProvenanceInStatus                    = "enable-provenance-in-status"
+	resultExtractionMethod                      = "results-from"
+	maxResultSize                               = "max-result-size"
+	setSecurityContextKey                       = "set-security-context"
+	setSecurityContextReadOnlyRootFilesystemKey = "set-security-context-read-only-root-filesystem"
+	coscheduleKey                               = "coschedule"
 )
 
 // DefaultFeatureFlags holds all the default configurations for the feature flags configmap.
@@ -200,19 +203,20 @@ type FeatureFlags struct {
 	// ignore: skip trusted resources verification when no matching verification policies found
 	// warn: skip trusted resources verification when no matching verification policies found and log a warning
 	// fail: fail the taskrun or pipelines run if no matching verification policies found
-	VerificationNoMatchPolicy   string
-	EnableProvenanceInStatus    bool
-	ResultExtractionMethod      string
-	MaxResultSize               int
-	SetSecurityContext          bool
-	Coschedule                  string
-	EnableCELInWhenExpression   bool
-	EnableStepActions           bool
-	EnableParamEnum             bool
-	EnableArtifacts             bool
-	DisableInlineSpec           string
-	EnableConciseResolverSyntax bool
-	EnableKubernetesSidecar     bool
+	VerificationNoMatchPolicy                string
+	EnableProvenanceInStatus                 bool
+	ResultExtractionMethod                   string
+	MaxResultSize                            int
+	SetSecurityContext                       bool
+	SetSecurityContextReadOnlyRootFilesystem bool
+	Coschedule                               string
+	EnableCELInWhenExpression                bool
+	EnableStepActions                        bool
+	EnableParamEnum                          bool
+	EnableArtifacts                          bool
+	DisableInlineSpec                        string
+	EnableConciseResolverSyntax              bool
+	EnableKubernetesSidecar                  bool
 }
 
 // GetFeatureFlagsConfigName returns the name of the configmap containing all
@@ -295,6 +299,9 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	if err := setFeature(setSecurityContextKey, DefaultSetSecurityContext, &tc.SetSecurityContext); err != nil {
 		return nil, err
 	}
+	if err := setFeature(setSecurityContextReadOnlyRootFilesystemKey, DefaultSetSecurityContextReadOnlyRootFilesystem, &tc.SetSecurityContextReadOnlyRootFilesystem); err != nil {
+		return nil, err
+	}
 	if err := setCoschedule(cfgMap, DefaultCoschedule, tc.DisableAffinityAssistant, &tc.Coschedule); err != nil {
 		return nil, err
 	}

pkg/apis/config/feature_flags_test.go

@@ -63,27 +63,28 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
 		},
 		{
 			expectedConfig: &config.FeatureFlags{
-				DisableAffinityAssistant:         true,
-				RunningInEnvWithInjectedSidecars: false,
-				AwaitSidecarReadiness:            false,
-				RequireGitSSHSecretKnownHosts:    true,
-				EnableAPIFields:                  "alpha",
-				SendCloudEventsForRuns:           true,
-				EnforceNonfalsifiability:         "spire",
-				VerificationNoMatchPolicy:        config.FailNoMatchPolicy,
-				EnableProvenanceInStatus:         false,
-				ResultExtractionMethod:           "termination-message",
-				EnableKeepPodOnCancel:            true,
-				MaxResultSize:                    4096,
-				SetSecurityContext:               true,
-				Coschedule:                       config.CoscheduleDisabled,
-				EnableCELInWhenExpression:        true,
-				EnableStepActions:                true,
-				EnableArtifacts:                  true,
-				EnableParamEnum:                  true,
-				DisableInlineSpec:                "pipeline,pipelinerun,taskrun",
-				EnableConciseResolverSyntax:      true,
-				EnableKubernetesSidecar:          true,
+				DisableAffinityAssistant:                 true,
+				RunningInEnvWithInjectedSidecars:         false,
+				AwaitSidecarReadiness:                    false,
+				RequireGitSSHSecretKnownHosts:            true,
+				EnableAPIFields:                          "alpha",
+				SendCloudEventsForRuns:                   true,
+				EnforceNonfalsifiability:                 "spire",
+				VerificationNoMatchPolicy:                config.FailNoMatchPolicy,
+				EnableProvenanceInStatus:                 false,
+				ResultExtractionMethod:                   "termination-message",
+				EnableKeepPodOnCancel:                    true,
+				MaxResultSize:                            4096,
+				SetSecurityContext:                       true,
+				SetSecurityContextReadOnlyRootFilesystem: true,
+				Coschedule:                               config.CoscheduleDisabled,
+				EnableCELInWhenExpression:                true,
+				EnableStepActions:                        true,
+				EnableArtifacts:                          true,
+				EnableParamEnum:                          true,
+				DisableInlineSpec:                        "pipeline,pipelinerun,taskrun",
+				EnableConciseResolverSyntax:              true,
+				EnableKubernetesSidecar:                  true,
 			},
 			fileName: "feature-flags-all-flags-set",
 		},

pkg/apis/config/testdata/feature-flags-all-flags-set.yaml

@@ -31,6 +31,7 @@ data:
   trusted-resources-verification-no-match-policy: "fail"
   enable-provenance-in-status: "false"
   set-security-context: "true"
+  set-security-context-read-only-root-filesystem: "true"
   keep-pod-on-cancel: "true"
   enable-cel-in-whenexpression: "true"
   enable-step-actions: "true"

pkg/internal/affinityassistant/affinityassistant_types.go

@@ -17,6 +17,8 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/tektoncd/pipeline/pkg/pod"
+
 	"github.com/tektoncd/pipeline/pkg/apis/config"
 )
 
@@ -57,6 +59,6 @@ func GetAffinityAssistantBehavior(ctx context.Context) (AffinityAssistantBehavio
 
 // ContainerConfig defines AffinityAssistant container configuration
 type ContainerConfig struct {
-	Image              string
-	SetSecurityContext bool
+	Image                 string
+	SecurityContextConfig pod.SecurityContext
 }

pkg/pod/SecurityContext.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2024 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pod
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+var (
+	// Used in security context of pod init containers
+	allowPrivilegeEscalation = false
+	runAsNonRoot             = true
+	readOnlyRootFilesystem   = true
+
+	// LinuxSecurityContext allow init containers to run in namespaces
+	// with "restricted" pod security admission
+	// See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+	LinuxSecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		RunAsNonRoot: &runAsNonRoot,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+	WindowsSecurityContext = &corev1.SecurityContext{
+		RunAsNonRoot: &runAsNonRoot,
+	}
+)
+
+// SecurityContext defines AffinityAssistant container configuration
+type SecurityContext struct {
+	SetSecurityContext        bool
+	SetReadOnlyRootFilesystem bool
+}
+
+func (c SecurityContext) GetSecurityContext(isWindows bool) *corev1.SecurityContext {
+	if isWindows {
+		return WindowsSecurityContext
+	}
+
+	if !c.SetReadOnlyRootFilesystem {
+		return LinuxSecurityContext
+	}
+
+	securityContext := LinuxSecurityContext.DeepCopy()
+	securityContext.ReadOnlyRootFilesystem = &readOnlyRootFilesystem
+	return securityContext
+}

pkg/pod/pod.go

@@ -127,27 +127,6 @@ var (
 
 	// MaxActiveDeadlineSeconds is a maximum permitted value to be used for a task with no timeout
 	MaxActiveDeadlineSeconds = int64(math.MaxInt32)
-
-	// Used in security context of pod init containers
-	allowPrivilegeEscalation = false
-	runAsNonRoot             = true
-
-	// LinuxSecurityContext allow init containers to run in namespaces
-	// with "restricted" pod security admission
-	// See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-	LinuxSecurityContext = &corev1.SecurityContext{
-		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
-		RunAsNonRoot: &runAsNonRoot,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
-	}
-	WindowsSecurityContext = &corev1.SecurityContext{
-		RunAsNonRoot: &runAsNonRoot,
-	}
 )
 
 // Builder exposes options to configure Pod construction from TaskSpecs/Runs.
@@ -178,6 +157,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	sidecarLogsResultsEnabled := config.FromContextOrDefaults(ctx).FeatureFlags.ResultExtractionMethod == config.ResultExtractionMethodSidecarLogs
 	enableKeepPodOnCancel := featureFlags.EnableKeepPodOnCancel
 	setSecurityContext := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContext
+	setSecurityContextReadOnlyRootFilesystem := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContextReadOnlyRootFilesystem
 
 	// Add our implicit volumes first, so they can be overridden by the user if they prefer.
 	volumes = append(volumes, implicitVolumes...)
@@ -212,11 +192,17 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	if taskRun.Spec.ComputeResources != nil {
 		tasklevel.ApplyTaskLevelComputeResources(steps, taskRun.Spec.ComputeResources)
 	}
+
+	securityContextConfig := SecurityContext{
+		SetSecurityContext:        setSecurityContext,
+		SetReadOnlyRootFilesystem: setSecurityContextReadOnlyRootFilesystem,
+	}
+
 	windows := usesWindows(taskRun)
 	if sidecarLogsResultsEnabled {
 		if taskSpec.Results != nil || artifactsPathReferenced(steps) {
 			// create a results sidecar
-			resultsSidecar, err := createResultsSidecar(taskSpec, b.Images.SidecarLogResultsImage, setSecurityContext, windows)
+			resultsSidecar, err := createResultsSidecar(taskSpec, b.Images.SidecarLogResultsImage, securityContextConfig, windows)
 			if err != nil {
 				return nil, err
 			}
@@ -231,15 +217,15 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	}
 
 	initContainers = []corev1.Container{
-		entrypointInitContainer(b.Images.EntrypointImage, steps, setSecurityContext, windows),
+		entrypointInitContainer(b.Images.EntrypointImage, steps, securityContextConfig, windows),
 	}
 
 	// Convert any steps with Script to command+args.
 	// If any are found, append an init container to initialize scripts.
 	if alphaAPIEnabled {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, b.Images.ShellImageWin, steps, sidecars, taskRun.Spec.Debug, setSecurityContext)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, b.Images.ShellImageWin, steps, sidecars, taskRun.Spec.Debug, securityContextConfig)
 	} else {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, "", steps, sidecars, nil, setSecurityContext)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, "", steps, sidecars, nil, securityContextConfig)
 	}
 
 	if scriptsInit != nil {
@@ -250,7 +236,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 		volumes = append(volumes, debugScriptsVolume, debugInfoVolume)
 	}
 	// Initialize any workingDirs under /workspace.
-	if workingDirInit := workingDirInit(b.Images.WorkingDirInitImage, stepContainers, setSecurityContext, windows); workingDirInit != nil {
+	if workingDirInit := workingDirInit(b.Images.WorkingDirInitImage, stepContainers, securityContextConfig, windows); workingDirInit != nil {
 		initContainers = append(initContainers, *workingDirInit)
 	}
 
@@ -695,18 +681,14 @@ func runVolume(i int) corev1.Volume {
 // This should effectively merge multiple command and volumes together.
 // If setSecurityContext is true, the init container will include a security context
 // allowing it to run in namespaces with restriced pod security admission.
-func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext, windows bool) corev1.Container {
+func entrypointInitContainer(image string, steps []v1.Step, securityContext SecurityContext, windows bool) corev1.Container {
 	// Invoke the entrypoint binary in "cp mode" to copy itself
 	// into the correct location for later steps and initialize steps folder
 	command := []string{"/ko-app/entrypoint", "init", "/ko-app/entrypoint", entrypointBinary}
 	for i, s := range steps {
 		command = append(command, StepName(s.Name, i))
 	}
 	volumeMounts := []corev1.VolumeMount{binMount, internalStepsMount}
-	securityContext := LinuxSecurityContext
-	if windows {
-		securityContext = WindowsSecurityContext
-	}
 
 	// Rewrite steps with entrypoint binary. Append the entrypoint init
 	// container to place the entrypoint binary. Also add timeout flags
@@ -721,8 +703,8 @@ func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext,
 		Command:      command,
 		VolumeMounts: volumeMounts,
 	}
-	if setSecurityContext {
-		prepareInitContainer.SecurityContext = securityContext
+	if securityContext.SetSecurityContext {
+		prepareInitContainer.SecurityContext = securityContext.GetSecurityContext(windows)
 	}
 	return prepareInitContainer
 }
@@ -732,7 +714,7 @@ func entrypointInitContainer(image string, steps []v1.Step, setSecurityContext,
 // whether it will run on a windows node, and whether the sidecar should include a security context
 // that will allow it to run in namespaces with "restricted" pod security admission.
 // It will also provide arguments to the binary that allow it to surface the step results.
-func createResultsSidecar(taskSpec v1.TaskSpec, image string, setSecurityContext, windows bool) (v1.Sidecar, error) {
+func createResultsSidecar(taskSpec v1.TaskSpec, image string, securityContext SecurityContext, windows bool) (v1.Sidecar, error) {
 	names := make([]string, 0, len(taskSpec.Results))
 	for _, r := range taskSpec.Results {
 		names = append(names, r.Name)
@@ -775,13 +757,11 @@ func createResultsSidecar(taskSpec v1.TaskSpec, image string, setSecurityContext
 		Image:   image,
 		Command: command,
 	}
-	securityContext := LinuxSecurityContext
-	if windows {
-		securityContext = WindowsSecurityContext
-	}
-	if setSecurityContext {
-		sidecar.SecurityContext = securityContext
+
+	if securityContext.SetSecurityContext {
+		sidecar.SecurityContext = securityContext.GetSecurityContext(windows)
 	}
+
 	return sidecar, nil
 }