fix(k8s): resolve attach pod name and su password on GKE Autopilot#159
fix(k8s): resolve attach pod name and su password on GKE Autopilot#159
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request initializes the project's design documentation, including the backlog, progress logs, and release notes. It also introduces two key fixes to the Kubernetes runtime: correctly resolving pod names with grove prefixes and implementing a runtime check to skip the 'su' command if the container is already running as the target user, which prevents password prompts on GKE Autopilot. A security improvement was suggested to prevent potential shell injection by passing the username as a positional argument to the shell script instead of using string interpolation.
| execCmd := []string{"sh", "-c", fmt.Sprintf( | ||
| `if [ "$(whoami)" = "%s" ]; then exec tmux attach -t scion; else exec su - %s -c "tmux attach -t scion"; fi`, | ||
| username, username)} |
There was a problem hiding this comment.
Building shell commands by interpolating variables like username into a script string using fmt.Sprintf is susceptible to shell injection if the variable contains special characters (e.g., quotes, semicolons, or spaces). A more secure and robust approach is to pass the variable as a positional argument to the shell. This ensures the value is treated strictly as data and avoids any interpretation as part of the shell script structure.
| execCmd := []string{"sh", "-c", fmt.Sprintf( | |
| `if [ "$(whoami)" = "%s" ]; then exec tmux attach -t scion; else exec su - %s -c "tmux attach -t scion"; fi`, | |
| username, username)} | |
| execCmd := []string{"sh", "-c", | |
| "if [ \"$(whoami)\" = \"$1\" ]; then exec tmux attach -t scion; else exec su - \"$1\" -c \"tmux attach -t scion\"; fi", | |
| "--", username} |
ameer00
force-pushed
the
fix/k8s-attach-pod-name-and-su
branch
from
7da28aa to
284462c
Compare
The Attach function used the bare agent name as the pod name, but K8s pods have a grove-prefixed name (e.g., "sciontest--hello" instead of "hello"), causing GKE Warden to reject the exec request. Fix by using agent.ContainerID after lookup. Additionally, on GKE Autopilot pods that run as non-root with allowPrivilegeEscalation=false, the `su - scion` wrapper prompts for a password. Fix with a runtime whoami check that skips su when already running as the target user.
ameer00
force-pushed
the
fix/k8s-attach-pod-name-and-su
branch
from
284462c to
2caa1d0
Compare
2 participants
Summary
scion attachusing bare agent name instead of grove-prefixed pod name (e.g.,hellovssciontest--hello), causing GKE Warden rejectionsu - scionpassword prompt on GKE Autopilot where pods run as non-root withallowPrivilegeEscalation=falseTest plan
🤖 Generated with Claude Code