-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a Dockerfile that adds a non-root user to alpine/git base #408
Conversation
This PR cannot be merged: expecting exactly one kind/ label Available
|
/kind misc |
This PR cannot be merged: expecting exactly one kind/ label Available
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to add a CI pipeline (and thus check) for this pipeline 👼 (see tekton/ci
folder)
In order to test Pipelines credentials in environments without root users (i.e. in openshift clusters, or other more locked-down envs) we need a container image that has a non-root user along with a tool to exercise the credentials. This commit adds an alpine-git-nonroot image to our plumbing repo for use in testing credentials in non-root environments. It uses alpine/git as its base and then adds a user called nonroot with UID 1000 to it. This image's first intended use is as a Step in an example TaskRun that will test creds-init credentials with non-root securityContext. That PR is ongoing here: tektoncd/pipeline#2671
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/cc @afrittoli
ok, I've added a nightly cronjob for the image, along with an entry in |
@sbwsg yeah that is perfect I think 😉 We are going to document this better and most likely do a walkthrough/demo on the overall ci/cd on plumbing to help contributors 👼 🤞 |
/mario build tekton/images/alpine-git-nonroot alpine-git-nonroot:mario |
Here is the image you requested: built image|build logs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thank you!
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
In order to test Pipelines credentials in environments without
root users (i.e. in openshift clusters, or other more locked-down
envs) we need a container image that has a non-root user along
with a tool to exercise the credentials.
This commit adds an alpine-git-nonroot image to our plumbing repo
for use in testing credentials in non-root environments. It uses
alpine/git as its base and then adds a user called nonroot with
UID 1000 to it. This image's first intended use is as a Step in
an example TaskRun that will test creds-init credentials with
non-root securityContext. That PR is ongoing here:
tektoncd/pipeline#2671
Submitter Checklist