feat: Add initial deny list for user mounted directories#1436
Open
lbeckman314 wants to merge 5 commits into
Open
feat: Add initial deny list for user mounted directories#1436lbeckman314 wants to merge 5 commits into
lbeckman314 wants to merge 5 commits into
Conversation
Gen3 Integration Tests
|
Gen3 Integration Tests
|
Gen3 Integration Tests
|
nss10
approved these changes
Jun 24, 2026
Add Kubernetes.ForbiddenPathPrefixes to the Funnel config so operators can customize the deny list of container paths that user-submitted tasks may not mount inputs, outputs, volumes, or working directories into. When set, the configured list replaces Funnel's built-in defaults (/dev, /proc, /sys, /run, /var/run); when empty, the defaults still apply. Validate and InitTask now accept the deny list as a parameter (the tes package cannot import config without an import cycle), and the server's CreateTask path passes the configured prefixes. Client- and worker-side pre-flight validation continue to use the defaults. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Assisted-by: Claude Code:claude [Claude Code]
Gen3 Integration Tests
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview ⚙️
This PR adds a default "deny list" to user-submitted task volumes to prevent errors related to trying to mount to system directories.
Current Behavior⚠️
/dev:➜ cat mount-test.json { "name": "deny-input-dev", "description": "Issue #92: Input mounted to /dev (develop → accepted, feat/deny-lists → rejected)", "executors": [ { "image": "alpine", "command": ["ls", "-la", "/dev"] } ], "inputs": [ { "url": "https://raw.githubusercontent.com/calypr/funnel/refs/heads/develop/README.md", "path": "/dev" } ] } ➜ funnel task create mount-test.json d8pfs1s622hs739b7rh0EXECUTOR_ERRORstemming fromOCI StartError: 🐛➜ funnel task get d8pfs1s622hs739b7rh0 { ... "id": "d8pfs1s622hs739b7rh0", "logs": [ { "logs": [ { "exitCode": 128, } ], "systemLogs": [ ... "level='error' msg='Exec error' error='executor job d8pfs1s622hs739b7rh0-0 failed with exit code 128 (StartError): failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting \"/var/lib/kubelet/pods/64a9fb7a-5822-496c-992d-2c081d929297/containers/funnel-executor-d8pfs1s622hs739b7rh0/4dc52fb5\" to rootfs at \"/dev/termination-log\": open o_path procfd: open /run/containerd/io.containerd.runtime.v2.task/k8s.io/e4a407b35fca352200248175af22997988a90d0765dafbc358bc7fcf0f186d7c/rootfs/dev/termination-log: not a directory: unknown'" ] } ], "state": "EXECUTOR_ERROR" }New Behavior ✔️
forbiddenPathPrefixes/dev/proc/sys/run/var/runTested against PR #1436 (funnel:6e404ed):
/dev:funnel➜ funnel task create mount-test.json Error: [STATUS CODE - 400] { "error": "invalid task message:\nTask.Inputs[0].Path: \"/dev\" is not allowed as an input path\n" }curlBreaking Changes? ❌
Next Steps 🌀
develop2026-06-23)v0.1.99-rc.39