petertrr
commented
2 years ago This also is crucial to keep private tests for contests really private
Open petertrr opened 2 years ago
petertrr
commented
2 years ago This also is crucial to keep private tests for contests really private
petertrr
commented
2 years ago More ideas:
authenticated in the databaseTestExecutions) only after tests are assigned to an agent, i.e. by that time agent should have started and authenticated.Service can implement app-to-app authentication using basic auth based on attached secrets. In Kubernetes it can be done using empty ServiceAccounts and TokenReview API
Agent pods can have a NetworkPolicy allowing egress to orchestrator and backend pods only, and also to all IPs outside of cluster range.
Two users in the save-agent pod: save-agent (uid 1100) and save-executor (uid 1200). All resources for execution are chown-ed for save-executor. The user save-agent is also a member of save-executor group to be able to read execution results. save-agent should launch save-cli as a user save-executor.
Then, it seems, save-agent can use Kubernetes secrets (namely ServiceAccount token mounted using volume projection) without executed tool having access to them.
(https://gvisor.dev/docs/architecture_guide/security/)
save-cloud services should either be able to authorize against each other (including agent), or the tested tool should have restricted network access (i.e. being able to communicate only with targets outside of cluster IP range)
Plan:
NetworkPolicyto allow access from save-agent pods only to main ports of backend, orchestrator and sandbox (#1247)/actuatorand/swagger-uito a separate management port (#1342)ServiceAccounttokens (#1238)