Run tekton containers as nonroot 🐰 #2606
Conversation
This changes a slew of containers that Tekton runs to use non-root base images. Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
tekton-robot
added
the
size/S
|
@vdemeester: GitHub didn't allow me to request PR reviews from the following users: mattmoor. Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest | ||
|
|
||
| # Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location. | ||
| github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot |
There was a problem hiding this comment.
FWIW I'd probably still prefer to see your change land since this includes glibc and busybox just for cp. We don't publish static:debug-nonroot 🤔
There was a problem hiding this comment.
Perhaps we can revive #2562 once this is merged
|
/kind feature |
tekton-robot
added
the
kind/feature
| "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e", | ||
| # The shell image must be root in order to create directories and copy files to PVCs. |
There was a problem hiding this comment.
Is that needed ? the PVC should be owned by the user running the image?
There was a problem hiding this comment.
I guess it doesn't on Kubernetes but only on OpenShift...
There was a problem hiding this comment.
Pretty sure this blew up in Prow, so whatever's in the e2e test hit this.
|
/lgtm |
| github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest | ||
|
|
||
| # Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location. | ||
| github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot |
There was a problem hiding this comment.
Perhaps we can revive #2562 once this is merged
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/test pull-tekton-pipeline-integration-tests |
ghost
mentioned this pull request
The PullRequest Resource, when used as an output, is able to read in a pr.json to determine if there have been any changes that require syncing to github. pr.json may have been written by any prior Step with any ownership settings. If pr.json was written with root permissions then the PullRequest Resource needs to be have permissions to read that file. The PullRequest Resource image has been based on a nonroot image in our `.ko.yaml` since 0.13 of Tekton Pipelines ([`.ko.yaml` was updated here](#2606)). However, the published images did not match the configuration in the `.ko.yaml` until 0.15.0 ([our `tekton/publish.yaml` was brought into line with `.ko.yaml` here](#3018)). Given that copying or writing pr.json in a Step can result in the file being owned by root using a nonroot image is not a suitable choice of base image - the output PullRequest attempts to open pr.json and hits a permissions error. This commit updates the PullRequest image to be based on distroless static instead of nonroot and adds an example yaml file that should exercise the behaviour of copying the file from an input to output pullrequest resource.
ghost
mentioned this pull request
The PullRequest Resource, when used as an output, is able to read in a pr.json to determine if there have been any changes that require syncing to github. pr.json may have been written by any prior Step with any ownership settings. If pr.json was written with root permissions then the PullRequest Resource needs to be have permissions to read that file. The PullRequest Resource image has been based on a nonroot image in our `.ko.yaml` since 0.13 of Tekton Pipelines ([`.ko.yaml` was updated here](tektoncd#2606)). However, the published images did not match the configuration in the `.ko.yaml` until 0.15.0 ([our `tekton/publish.yaml` was brought into line with `.ko.yaml` here](tektoncd#3018)). Given that copying or writing pr.json in a Step can result in the file being owned by root using a nonroot image is not a suitable choice of base image - the output PullRequest attempts to open pr.json and hits a permissions error. This commit updates the PullRequest image to be based on distroless static instead of nonroot and adds an example yaml file that should exercise the behaviour of copying the file from an input to output pullrequest resource.
Changes
This changes a slew of containers that Tekton runs to use non-root base images.
This carry #2435 (discussed with @mattmoor)
Closes #2435
Signed-off-by: Vincent Demeester vdemeest@redhat.com
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes