From ef7ff72cb07097f2dfa8f3551ee5d576633ad7e1 Mon Sep 17 00:00:00 2001
From: Stavros <steve@vipersec.com>
Date: Wed, 14 Aug 2024 14:07:46 +0200
Subject: [PATCH] fix(manager): avoid privilege escalation

---
 reana_workflow_controller/k8s.py                  | 4 +++-
 reana_workflow_controller/workflow_run_manager.py | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/reana_workflow_controller/k8s.py b/reana_workflow_controller/k8s.py
index 8d343003..31c3cf46 100644
--- a/reana_workflow_controller/k8s.py
+++ b/reana_workflow_controller/k8s.py
@@ -221,7 +221,9 @@ def add_environment_variable(self, name, value):
 
     def add_run_with_root_permissions(self):
         """Run interactive session with root."""
-        security_context = client.V1SecurityContext(run_as_user=0)
+        security_context = client.V1SecurityContext(
+            run_as_user=0, allow_privilege_escalation=False
+        )
         self._session_container.security_context = security_context
 
     def add_user_secrets(self):
diff --git a/reana_workflow_controller/workflow_run_manager.py b/reana_workflow_controller/workflow_run_manager.py
index 3eee0b93..df4ca6d4 100644
--- a/reana_workflow_controller/workflow_run_manager.py
+++ b/reana_workflow_controller/workflow_run_manager.py
@@ -557,6 +557,7 @@ def _create_job_spec(
         workflow_engine_container.security_context = client.V1SecurityContext(
             run_as_group=WORKFLOW_RUNTIME_USER_GID,
             run_as_user=WORKFLOW_RUNTIME_USER_UID,
+            allow_privilege_escalation=False,
         )
         workflow_engine_container.volume_mounts = [workspace_mount]