K8s worker security hardening#234
Merged
Merged
Conversation
added 11 commits
April 14, 2026 23:07
- Add SecurityContext to worker containers (non-root, read-only FS, drop ALL caps) - Add configurable resource requests/limits (CPU/memory) via env vars - Move worker token from plain env var to K8s Secret with secretKeyRef - Add ExecutionReconciler loop to detect and fail orphaned running executions - Add ListRunning to ExecutionsStore for reconciliation queries - Wire up reconciler in server startup with graceful shutdown
…ecret cleanup, resourceQty validation, ListRunning LIMIT, MarkFailed WHERE guard, nil K8sJobName reconciliation
…nate string duplication
…arning, Secret cleanup on Job failure
… parseResources, fix ReconcileOnce doc comment
…tests - Store worker_token_secret in DB alongside k8s_job_name so cleanup always references the correct Secret name - Cancel handler only deletes Secret if it was auto-created (name starts with st-worker-token- prefix), not pre-existing Secrets - Reconciler only deletes Secret if WorkerTokenSecret starts with the auto-created prefix, preventing deletion of pre-existing Secrets - RunningExecution now carries WorkerTokenSecret from DB - CreateJob returns CreateJobResult with secret metadata (WorkerTokenSecret name, AutoCreatedSecret flag) - Add DB migration 000023 for worker_token_secret column - Add comprehensive CreateJob tests using fake.NewSimpleClientset covering security context, resource limits, SecretKeyRef token injection, AutomountServiceAccountToken=false, pre-existing Secret behaviour, and Secret cleanup on Job creation failure - Add reconciler tests for pre-existing Secret and nil Secret cases - Update all DB scan queries to include worker_token_secret column - Change Client.clientset from *kubernetes.Clientset to kubernetes.Interface for testability
… eliminate duplicated label maps in CreateJob
…add status guard to markExecutionFailed, add team-scoped lookups
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes droplet sc-hpqh8.