experiments: sandbox tool for code execution #26
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
So I'm submitting this here as a first step towards creating tools to make maintainer's lives easier. cc @ameukam This particular tool is basically a building block. The idea is to create a sandboxed executor that has no permissions (in particular, no github token). Then we can run scripts from repositories safely, and take the output and send it as a PR. The tool that drives that would be our second tool :-) And the goal is to run a script that lives in each repo, that updates the dependencies, and sends a PR. We need it for repos where dependabot simply doesn't work (in particular it seems to do badly for multi-module repos) Of course once we have that functionality, repos can create more scripts to create PRs to do any toilsome task they want! And because they're PRs, worst case the outcome is PR spam. |
|
The broader context is kubernetes/community#8297, and we're trying this here because of the consensus that (seemed to) arise around this being the right repo (thanks @dims ! ) |
|
|
||
| # TODO: Compile ourselves? | ||
| RUN mkdir -p /opt/protoc | ||
| RUN wget -N -O /opt/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.12.4/protoc-3.12.4-linux-x86_64.zip |
There was a problem hiding this comment.
We make the assumption we run locally this on x86 CPUs and exclude ARM environments. Maybe add more parameters to handle at least {linux,darwin} ?
Happy to do it as a follow-up PR
There was a problem hiding this comment.
Yes, that's a good call. Maybe compiling it ourselves is a good option from that perspective also! (It should get cached after the first docker buildx)
The sandbox executor will be useful for running untrusted / semi-trusted code. It runs commands in a kubernetes pod, using an agent for efficiency.
|
Tweaked to build protoc from source, TBH I like that better than depending on a binary anyway. It's somewhat slower the first time, but not catastrophically slow IMO. |
| # Load the image into kind | ||
| echo "Loading image into kind" | ||
| kind load docker-image ${AGENT_IMAGE} |
There was a problem hiding this comment.
Maybe create a KIND cluster before ?
There was a problem hiding this comment.
I'll do a follow on PR to run the e2e in GHA
|
/hold Per kubernetes/community#8297 (comment) cc: @kubernetes-sigs/sig-contributor-experience-leads, |
k8s-ci-robot
added
the
do-not-merge/hold
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
The sandbox executor will be useful for running untrusted / semi-trusted code.
It runs commands in a kubernetes pod, using an agent for efficiency.