Switch to ghcr.io/distroless/busybox for shell-image

This is very similar to #4758 and #4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: #4761 Related: #4752
tektoncd · Apr 14, 2022 · 315ef44 · 315ef44
1 parent 80f9ac6
commit 315ef44
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -75,10 +75,12 @@ spec:
 
           # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim
           "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f",
-          # The shell image must be root in order to create directories and copy files to PVCs.
-          # gcr.io/distroless/base:debug as of February 17, 2022
+
+          # The shell image must allow root in order to create directories and copy files to PVCs.
+          # ghcr.io/distroless/busybox as of TODO: digest
           # image shall not contains tag, so it will be supported on a runtime like cri-o
-          "-shell-image", "gcr.io/distroless/base@sha256:3cebc059e7e52a4f5a389aa6788ac2b582227d7953933194764ea434f4d70d64",
+          "-shell-image", "ghcr.io/distroless/busybox",
+
           # for script mode to work with windows we need a powershell image
           # pinning to nanoserver tag as of July 15 2021
           "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6",

diff --git a/pkg/apis/resource/v1alpha1/storage/artifact_pvc.go b/pkg/apis/resource/v1alpha1/storage/artifact_pvc.go
@@ -23,6 +23,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	"github.com/tektoncd/pipeline/pkg/names"
 	corev1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/ptr"
 )
 
 var (
@@ -64,13 +65,23 @@ func (p *ArtifactPVC) GetCopyFromStorageToSteps(name, sourcePath, destinationPat
 // GetCopyToStorageFromSteps returns a container used to upload artifacts for temporary storage.
 func (p *ArtifactPVC) GetCopyToStorageFromSteps(name, sourcePath, destinationPath string) []v1beta1.Step {
 	return []v1beta1.Step{{Container: corev1.Container{
-		Name:         names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-mkdir-%s", name)),
-		Image:        p.ShellImage,
+		Name:  names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-mkdir-%s", name)),
+		Image: p.ShellImage,
+		// This requires us to run as root, and the ShellImage is nonroot
+		// by default.
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser: ptr.Int64(0),
+		},
 		Command:      []string{"mkdir", "-p", destinationPath},
 		VolumeMounts: []corev1.VolumeMount{GetPvcMount(p.Name)},
 	}}, {Container: corev1.Container{
-		Name:         names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-copy-%s", name)),
-		Image:        p.ShellImage,
+		Name:  names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("source-copy-%s", name)),
+		Image: p.ShellImage,
+		// This requires us to run as root, and the ShellImage is nonroot
+		// by default.
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser: ptr.Int64(0),
+		},
 		Command:      []string{"cp", "-r", fmt.Sprintf("%s/.", sourcePath), destinationPath},
 		VolumeMounts: []corev1.VolumeMount{GetPvcMount(p.Name)},
 		Env: []corev1.EnvVar{{