Switch to ghcr.io/distroless/busybox for shell-image

This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
mattmoor · Apr 14, 2022 · d3b4487 · d3b4487
1 parent 80f9ac6
commit d3b4487
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -75,10 +75,12 @@ spec:
 
           # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim
           "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f",
-          # The shell image must be root in order to create directories and copy files to PVCs.
-          # gcr.io/distroless/base:debug as of February 17, 2022
+
+          # The shell image must allow root in order to create directories and copy files to PVCs.
+          # ghcr.io/distroless/busybox as of TODO: digest
           # image shall not contains tag, so it will be supported on a runtime like cri-o
-          "-shell-image", "gcr.io/distroless/base@sha256:3cebc059e7e52a4f5a389aa6788ac2b582227d7953933194764ea434f4d70d64",
+          "-shell-image", "ghcr.io/distroless/busybox",
+
           # for script mode to work with windows we need a powershell image
           # pinning to nanoserver tag as of July 15 2021
           "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6",