diff --git a/reana_job_controller/config.py b/reana_job_controller/config.py index ae46ee9..c421155 100644 --- a/reana_job_controller/config.py +++ b/reana_job_controller/config.py @@ -9,11 +9,20 @@ """Flask application configuration.""" import os +import secrets from reana_commons.config import REANA_COMPONENT_PREFIX from werkzeug.utils import import_string + +SECRET_KEY = os.getenv("REANA_SECRET_KEY", secrets.token_hex()) +"""Secret key used for the application user sessions. + +A new random key is generated on every start of job-controller, but this is not an +issues as job-controller is never restarted (and thus the secret never changes) +during the execution of a single workflow.""" + CACHE_ENABLED = False """Determines if jobs caching is enabled.""" diff --git a/reana_job_controller/factory.py b/reana_job_controller/factory.py index 8269473..9d98f33 100644 --- a/reana_job_controller/factory.py +++ b/reana_job_controller/factory.py @@ -48,7 +48,6 @@ def create_app(config_mapping=None): """Create REANA-Job-Controller application.""" logging.basicConfig(level=REANA_LOG_LEVEL, format=REANA_LOG_FORMAT) app = Flask(__name__) - app.secret_key = "mega secret key" app.session = Session app.config.from_object(config) if config_mapping: diff --git a/reana_job_controller/kubernetes_job_manager.py b/reana_job_controller/kubernetes_job_manager.py index 87f69c6..b20aa7a 100644 --- a/reana_job_controller/kubernetes_job_manager.py +++ b/reana_job_controller/kubernetes_job_manager.py @@ -1,5 +1,5 @@ # This file is part of REANA. -# Copyright (C) 2019, 2020, 2021, 2022, 2023 CERN. +# Copyright (C) 2019, 2020, 2021, 2022, 2023, 2024 CERN. # # REANA is free software; you can redistribute it and/or modify it # under the terms of the MIT License; see LICENSE file for more details. @@ -167,6 +167,7 @@ def execute(self): "name": "job", "env": [], "volumeMounts": [], + "securityContext": {"allowPrivilegeEscalation": False}, } ], "initContainers": [],