feat: non-root argoexec (#14477)

Signed-off-by: Alan Clucas <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: Joibel

.github/workflows/release.yaml

@@ -27,7 +27,7 @@ jobs:
     strategy:
       matrix:
         platform: [ linux/amd64, linux/arm64 ]
-        target: [ workflow-controller, argocli, argoexec ]
+        target: [ workflow-controller, argocli, argoexec, argoexec-nonroot ]
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -182,7 +182,7 @@ jobs:
             tag="latest"
           fi
 
-          targets="workflow-controller argoexec argocli"
+          targets="workflow-controller argoexec argoexec-nonroot argocli"
           for target in $targets; do
             image_name="${docker_org}/${target}:${tag}"
 
@@ -209,7 +209,7 @@ jobs:
     strategy:
       matrix:
         platform: [ linux/amd64 ]
-        target: [ workflow-controller, argocli, argoexec ]
+        target: [ workflow-controller, argocli, argoexec, argoexec-nonroot ]
     steps:
       - name: Docker Login
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -317,6 +317,7 @@ jobs:
       - run: bom generate --image quay.io/argoproj/workflow-controller:$VERSION -o dist/workflow-controller.spdx
       - run: bom generate --image quay.io/argoproj/argocli:$VERSION -o dist/argocli.spdx
       - run: bom generate --image quay.io/argoproj/argoexec:$VERSION -o dist/argoexec.spdx
+      - run: bom generate --image quay.io/argoproj/argoexec-nonroot:$VERSION -o dist/argoexec-nonroot.spdx
       # pack the boms into one file to make it easy to download
       - run: tar -zcf dist/sbom.tar.gz dist/*.spdx
       - run: make release-notes VERSION=$VERSION

Dockerfile

@@ -80,13 +80,27 @@ RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache
 
 ####################################################################################################
 
-FROM gcr.io/distroless/static as argoexec
+FROM gcr.io/distroless/static as argoexec-base
 
-COPY --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /bin/
 COPY --from=argoexec-build /etc/mime.types /etc/mime.types
 COPY hack/ssh_known_hosts /etc/ssh/
 COPY hack/nsswitch.conf /etc/
 
+####################################################################################################
+
+FROM argoexec-base as argoexec-nonroot
+
+USER 8737
+
+COPY --chown=8737 --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /bin/
+
+ENTRYPOINT [ "argoexec" ]
+
+####################################################################################################
+FROM argoexec-base as argoexec
+
+COPY --from=argoexec-build /go/src/github.com/argoproj/argo-workflows/dist/argoexec /bin/
+
 ENTRYPOINT [ "argoexec" ]
 
 ####################################################################################################

Makefile

@@ -245,6 +245,7 @@ else
 endif
 
 argoexec-image:
+argoexec-nonroot-image:
 
 %-image:
 	[ ! -e dist/$* ] || mv dist/$* .

docs/workflow-executors.md

@@ -1,46 +1,51 @@
 # Workflow Executors
 
-A workflow executor is a process that conforms to a specific interface that allows Argo to perform certain actions like monitoring pod logs, collecting artifacts, managing container life-cycles, etc.
+A Workflow executor runs in the Pods that execute your workloads.
+It runs as both an init container and as a sidecar to the container you specify.
+It allows Argo to perform certain actions like monitoring Pod logs, providing and collecting artifacts, and managing container life-cycles.
 
-## Emissary (emissary)
+Historically there were multiple available executor types, but as of 3.4 the only available executor is called `emissary`.
 
-> v3.1 and after
-
-Default in >= v3.3.
-Only option in >= v3.4.
-
-This is the most fully featured executor.
+## Emissary Executor
 
 * Reliability:
     * Works on GKE Autopilot
-    * Does not require `init` process to kill sub-processes.
-* More secure:
+    * Does not require `init` process to kill sub-processes
+* Security:
     * No `privileged` access
     * Cannot escape the privileges of the pod's service account
-    * Can [`runAsNonRoot`](workflow-pod-security-context.md).
-* Scalable:
-    * It reads and writes to and from the container's disk and typically does not use any network APIs unless resource
-    type template is used.
+    * Supports [running as non-root](workflow-pod-security-context.md)
+* Scalability:
+    * Reads and writes to and from the container's disk
+    * Typically does not use network APIs unless resource type template is used
 * Artifacts:
-    * Output artifacts can be located on the base layer (e.g. `/tmp`).
-* Configuration:
-    * `command` should be specified for containers.
+    * Output artifacts can be located on the base layer (e.g. `/tmp`)
+
+### Container Command
 
-You can determine values as follows:
+You can determine the default command for a container image using:
 
 ```bash
-docker image inspect -f '{{.Config.Entrypoint}} {{.Config.Cmd}}' argoproj/argosay:v2
+docker pull alpine:latest
+docker image inspect -f '{{.Config.Entrypoint}} {{.Config.Cmd}}' alpine:latest
 ```
 
 [Learn more about command and args](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#notes)
 
 ### Image Index/Cache
 
-If you don't provide command to run, the emissary will grab it from container image. You can also specify it using the workflow spec or emissary will look it up in the **image index**. This is nothing more fancy than
-a [configuration item](workflow-controller-configmap.yaml).
+The emissary executor determines the command to run in this order:
+
+1. Command specified in the workflow spec
+2. Command from the image index cache
+3. Command from the container image
+
+The image index is a [configuration item](workflow-controller-configmap.yaml), called `images`.
 
-Emissary will create a cache entry, using image with version as key and command as value, and it will reuse it for specific image/version.
+The controller creates a cache entry using the image with version as key and command as value.
+It reuses this cache for specific image:version combinations, so you may get surprising behavior if you update the command in an image without changing its version tag.
 
-### Exit Code 64
+### Troubleshooting
 
-The emissary will exit with code 64 if it fails. This may indicate a bug in the emissary.
+The emissary will exit with code 64 if it fails.
+This may indicate a bug in the emissary.

docs/workflow-pod-security-context.md

@@ -1,12 +1,21 @@
 # Workflow Pod Security Context
 
-By default, all workflow pods run as root.
+This document explains how to configure security context for Workflow Pods in Argo Workflows.
 
-You can run your workflow pods more securely by configuring the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for your workflow pod.
+Running Workflow Pods as non-root is best practice for security.
 
-This is likely to be necessary if pod security standards ([PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards)) are enforced by
-[PSA](https://kubernetes.io/docs/concepts/security/pod-security-admission/) or other means, or if you have a
-[pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (deprecated).
+You may need to do this if:
+
+* Your cluster requires [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards), as enforced by [PSA](https://kubernetes.io/docs/concepts/security/pod-security-admission/) or other means.
+* You need to comply with security policies that restrict root access.
+
+## Basic Configuration
+
+By default, all Workflow Pods run as root.
+
+You can configure the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for your Workflow Pod.
+
+Here's a basic example that runs the Pod as a non-root user:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -16,13 +25,34 @@ metadata:
 spec:
   securityContext:
     runAsNonRoot: true
-    runAsUser: 8737 #; any non-root user
+    runAsUser: 8737 # or any non-root user
 ```
 
-You can configure this globally using [workflow defaults](default-workflow-specs.md).
-
 !!! Warning "It is easy to make a workflow need root unintentionally"
     You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. `mkdir /my-dir` would require root.
 
-!!! Note "You must use volumes for output artifacts"
-    If you use `runAsNonRoot` - you cannot have output artifacts on base layer (e.g. `/tmp`). You must use a volume (e.g. [empty dir](empty-dir.md)).
+## Global Configuration
+
+You can set these security context settings globally using [workflow defaults](default-workflow-specs.md).
+
+## Non-root Executor Image
+
+Argo provides a non-root executor image that runs by default as user 8737.
+
+This is not the default executor for backwards compatibility, but using it is best practice.
+Use this image when your security policies restrict pulling images that run as root.
+You can run this image as root by specifying `runAsUser: 0`.
+
+The image is available at `quay.io/argoproj/argoexec-nonroot:<version>`.
+
+You can configure this as the default executor image in the [workflow-controller-configmap](workflow-controller-configmap.yaml):
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: workflow-controller-configmap
+data:
+  executor: |
+    image: quay.io/argoproj/argoexec-nonroot:<version>
+```