Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: Support Mounted Resource Volumes #733

Merged
merged 1 commit into from
May 8, 2021

Commits on May 6, 2021

  1. build: Support Mounted Resource Volumes

    Proposal to support mounts for Secrets and ConfigMaps in builds. This
    augments prior work which let Secrets and ConfigMaps be used as sources
    in builds. Unlike the current approach, this enhancement leverages
    buildah's volume mount feature to let content be available only at build
    time, and not at runtime. This is useful for builds that need to access
    private artifact repositories or RHEL subscription content.
    
    This current proposal builds on top of Ben Parees's original volume
    mount proposal. Supported volume types will be gated at the API level to
    ensure the volume type does not pose a security risk and is correctly
    lifecycled. To distinguish Kubernetes volumes+mounts from buildah's
    volume mount mechanism, the terms "volume content," "input volume,"
    "buildah volume mount," and "buildah runtime environment" were
    introduced. The proposed API uses these terms to distinguish build
    volume mounts from pod volume mounts. Documentation requirements for
    this feature were added in the "Drawbacks" section of the proposal.
    
    Because the build controller uses the privileged security context
    constraint, build pods to bypass most security features in OpenShift.
    Therefore, future volume mounts in build pods need to be tightly
    controlled. Open-ended volume types like CSI volumes could be an attack
    vector if a developer uses an insecure CSI driver implementation. This
    proposal establishes graduation criteria for adding new volume source
    types to builds, including security, testing, lifecycle concerns,
    failure modes, and feature gating.
    bparees authored and adambkaplan committed May 6, 2021
    Configuration menu
    Copy the full SHA
    b310d8c View commit details
    Browse the repository at this point in the history