Skip to content

chore: make windows agent runnable by ContainerUser #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore: make windows agent runnable by ContainerUser #1241

wants to merge 2 commits into from

Conversation

kondracek-nr
Copy link
Contributor

@kondracek-nr kondracek-nr commented Jun 3, 2025
edited
Loading

Description

To improve our security posture for the new Windows integration, the infrastructure agent container that runs in the windows kubelet pod should be runnable by a user with reduced permissions. We can use the virtual user ContainerUser rather than ContainerAdministrator by granting modify permissions to Users for the relevant path in the infra agent Docker file & removing the emptyDir mount path for the \tmp directory. Agent code deletes this directory during startup, which can apparently be done by the ContainerAdministrator but not the ContainerUser no matter how many permissions you give it. The agent will manage creating the directory itself.

Skip Changelog label added due to unrelease feature.

Type of change

  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • New feature / enhancement (non-breaking change which adds functionality)
  • Security fix
  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • Add changelog entry following the contributing guide
  • Documentation has been updated
  • This change requires changes in testing:
    • unit tests
    • E2E tests

@kondracek-nr kondracek-nr requested a review from a team as a code owner June 3, 2025 22:53
@codecov Codecov
Copy link

codecov bot commented Jun 3, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.80%. Comparing base (9a96441) to head (46c9c85).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1241   +/-   ##
=======================================
  Coverage   63.80%   63.80%           
=======================================
  Files          55       55           
  Lines        4349     4349           
=======================================
  Hits         2775     2775           
  Misses       1402     1402           
  Partials      172      172

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Skip Changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kondracek-nr