Skip to content

Commit b729cfb

Browse files
adityathebeadityathebe
committed
feat(playbook): run exec actions inside a sandbox
Uses flanksource/sandbox-runtime to restrict network and filesystem access when running playbook exec actions. Depends on flanksource/duty#1782.
1 parent 77731fb commit b729cfb

4 files changed

Lines changed: 77 additions & 82 deletions

File tree

api/v1/playbook_actions.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"github.com/flanksource/duty/models"
2222
"github.com/flanksource/duty/shell"
2323
"github.com/flanksource/duty/types"
24+
"github.com/flanksource/sandbox-runtime/sandbox"
2425
"k8s.io/client-go/kubernetes"
2526

2627
"github.com/flanksource/incident-commander/api"
@@ -398,14 +399,15 @@ type ExecAction struct {
398399
Setup *shell.ExecSetup `json:"setup,omitempty"`
399400
}
400401

401-
func (e *ExecAction) ToShellExec() shell.Exec {
402+
func (e *ExecAction) ToShellExec(sb *sandbox.Sandbox) shell.Exec {
402403
return shell.Exec{
403404
Script: e.Script,
404405
Connections: e.Connections,
405406
EnvVars: e.EnvVars,
406407
Artifacts: e.Artifacts,
407408
Checkout: e.Checkout,
408409
Setup: e.Setup,
410+
Sandbox: sb,
409411
}
410412
}
411413

go.mod

Lines changed: 18 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ require (
1111
github.com/casbin/gorm-adapter/v3 v3.39.0
1212
github.com/containrrr/shoutrrr v0.8.0
1313
github.com/fergusstrange/embedded-postgres v1.33.0 // indirect
14-
github.com/flanksource/commons v1.44.1
14+
github.com/flanksource/commons v1.46.0
1515
github.com/flanksource/duty v1.0.1183
1616
github.com/flanksource/gomplate/v3 v3.24.66
1717
github.com/flanksource/kopper v1.0.14
@@ -41,19 +41,20 @@ require (
4141
github.com/RussellLuo/slidingwindow v0.0.0-20200528002341-535bb99d338b
4242
github.com/WinterYukky/gorm-extra-clause-plugin v0.4.0
4343
github.com/aws/aws-sdk-go-v2 v1.41.1
44-
github.com/aws/aws-sdk-go-v2/config v1.32.7
45-
github.com/aws/aws-sdk-go-v2/credentials v1.19.7
44+
github.com/aws/aws-sdk-go-v2/config v1.32.9
45+
github.com/aws/aws-sdk-go-v2/credentials v1.19.9
4646
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.63.1
4747
github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1
4848
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
4949
github.com/emersion/go-message v0.18.2
5050
github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
5151
github.com/emersion/go-smtp v0.24.0
52-
github.com/flanksource/artifacts v1.0.18
53-
github.com/flanksource/clicky v1.16.1
52+
github.com/flanksource/artifacts v1.0.21
53+
github.com/flanksource/clicky v1.17.0
54+
github.com/flanksource/sandbox-runtime v1.0.1
5455
github.com/fluxcd/pkg/gittestserver v0.21.0
5556
github.com/go-git/go-billy/v5 v5.7.0
56-
github.com/go-git/go-git/v5 v5.16.4
57+
github.com/go-git/go-git/v5 v5.16.5
5758
github.com/go-sql-driver/mysql v1.9.3
5859
github.com/gofrs/uuid/v5 v5.4.0
5960
github.com/golang-jwt/jwt/v5 v5.3.0
@@ -122,6 +123,7 @@ require (
122123
github.com/alecthomas/chroma/v2 v2.23.1 // indirect
123124
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
124125
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
126+
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 // indirect
125127
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
126128
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
127129
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
@@ -135,8 +137,8 @@ require (
135137
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.17 // indirect
136138
github.com/aws/aws-sdk-go-v2/service/kms v1.49.5 // indirect
137139
github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
138-
github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
139-
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
140+
github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 // indirect
141+
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect
140142
github.com/aws/smithy-go v1.24.0 // indirect
141143
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
142144
github.com/bahlo/generic-list-go v0.2.0 // indirect
@@ -147,9 +149,8 @@ require (
147149
github.com/buger/jsonparser v1.1.1 // indirect
148150
github.com/casbin/govaluate v1.10.0 // indirect
149151
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
150-
github.com/cert-manager/cert-manager v1.19.1 // indirect
152+
github.com/cert-manager/cert-manager v1.19.3 // indirect
151153
github.com/cespare/xxhash/v2 v2.3.0 // indirect
152-
github.com/charmbracelet/bubbletea v1.3.10 // indirect
153154
github.com/charmbracelet/colorprofile v0.4.1 // indirect
154155
github.com/charmbracelet/lipgloss v1.1.0 // indirect
155156
github.com/charmbracelet/x/ansi v0.11.4 // indirect
@@ -173,12 +174,11 @@ require (
173174
github.com/emirpasic/gods/v2 v2.0.0-alpha // indirect
174175
github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
175176
github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
176-
github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
177177
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
178178
github.com/exaring/otelpgx v0.10.0 // indirect
179179
github.com/fatih/color v1.18.0 // indirect
180180
github.com/felixge/httpsnoop v1.0.4 // indirect
181-
github.com/flanksource/deps v1.0.23 // indirect
181+
github.com/flanksource/deps v1.0.24 // indirect
182182
github.com/flanksource/is-healthy v1.0.82 // indirect
183183
github.com/flanksource/kubectl-neat v1.0.4 // indirect
184184
github.com/fluxcd/gitkit v0.6.0 // indirect
@@ -191,7 +191,6 @@ require (
191191
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
192192
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
193193
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
194-
github.com/go-json-experiment/json v0.0.0-20251027170946-4849db3c2f7e // indirect
195194
github.com/go-logr/stdr v1.2.2 // indirect
196195
github.com/go-ole/go-ole v1.3.0 // indirect
197196
github.com/go-openapi/inflect v0.21.5 // indirect
@@ -245,10 +244,6 @@ require (
245244
github.com/jackc/puddle/v2 v2.2.2 // indirect
246245
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
247246
github.com/jeremywohl/flatten v1.0.1 // indirect
248-
github.com/kaptinlin/go-i18n v0.2.3 // indirect
249-
github.com/kaptinlin/jsonpointer v0.4.9 // indirect
250-
github.com/kaptinlin/jsonschema v0.6.8 // indirect
251-
github.com/kaptinlin/messageformat-go v0.4.9 // indirect
252247
github.com/kevinburke/ssh_config v1.4.0 // indirect
253248
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
254249
github.com/kr/fs v0.1.0 // indirect
@@ -260,14 +255,11 @@ require (
260255
github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
261256
github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
262257
github.com/mailru/easyjson v0.9.1 // indirect
263-
github.com/mattn/go-localereader v0.0.1 // indirect
264258
github.com/mattn/go-runewidth v0.0.19 // indirect
265259
github.com/microsoft/go-mssqldb v1.9.6 // indirect
266260
github.com/mitchellh/copystructure v1.2.0 // indirect
267261
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
268262
github.com/moby/spdystream v0.5.0 // indirect
269-
github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
270-
github.com/muesli/cancelreader v0.2.2 // indirect
271263
github.com/muesli/termenv v0.16.0 // indirect
272264
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
273265
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
@@ -342,7 +334,7 @@ require (
342334
gocloud.dev v0.44.0 // indirect
343335
golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
344336
golang.org/x/mod v0.32.0 // indirect
345-
golang.org/x/term v0.39.0 // indirect
337+
golang.org/x/term v0.40.0 // indirect
346338
golang.org/x/tools v0.41.0 // indirect
347339
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
348340
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
@@ -420,11 +412,11 @@ require (
420412
github.com/valyala/fasttemplate v1.2.2 // indirect
421413
github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
422414
go.opencensus.io v0.24.0 // indirect
423-
golang.org/x/crypto v0.47.0
424-
golang.org/x/net v0.49.0 // indirect
415+
golang.org/x/crypto v0.48.0
416+
golang.org/x/net v0.50.0 // indirect
425417
golang.org/x/oauth2 v0.34.0 // indirect
426-
golang.org/x/sys v0.40.0 // indirect
427-
golang.org/x/text v0.33.0
418+
golang.org/x/sys v0.41.0 // indirect
419+
golang.org/x/text v0.34.0
428420
golang.org/x/time v0.14.0 // indirect
429421
google.golang.org/api v0.262.0
430422
google.golang.org/genproto v0.0.0-20260126211449-d11affda4bed // indirect
@@ -437,6 +429,7 @@ require (
437429
)
438430

439431
// replace github.com/flanksource/clicky => ../clicky
432+
replace github.com/flanksource/duty => ../duty
440433

441434
// replace github.com/flanksource/gomplate/v3 => ../gomplate
442435

0 commit comments

Comments
 (0)