Merge remote-tracking branch 'upstream/master'

.ko.yaml

@@ -6,6 +6,9 @@ baseImageOverrides:
   github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
   # GCS fetcher needs root due to workspace permissions
   github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest
+  # PullRequest resource needs root because in output mode it needs to access pr.json
+  # which might have been copied or written with any level of permissions.
+  github.com/tektoncd/pipeline/cmd/pullrequest-init: gcr.io/distroless/static:latest
 
   # Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location.
   github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot

DEVELOPMENT.md

@@ -95,32 +95,38 @@ The recommended configuration is:
 -   Node autoscaling, up to 3 nodes
 -   API scopes for cloud-platform
 
-### To setup a cluster with Docker Desktop:
 
-Docker Desktop using an edge version has been proven to work for both developing
-and running Pipelines.
+### To setup a cluster using MiniKube:
 
-To use minikube:
+- Follow instructions for your platform to [Install Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) and start a session as follows:
 
 ```bash
 minikube start eval $(minikube docker-env)
 ```
 
-To use the Kubernetes that comes with Docker Desktop: 
+### To setup a cluster with Docker Desktop:
+
+Docker Desktop versions come integrated with an edge version of Kubernetes that has been proven to work for both developing and running Pipelines.  To find out what Kubernetes a specific version of Docker Desktop includes, please refer to the release notes for your platform here: https://docs.docker.com/.
+
+To enable the Kubernetes that comes with Docker Desktop:
+
+1.  From the Docker Desktop dropdown menu, open the `preferences...` interface.
+
+1. Under the `Resources` tab ensure that in the `ADVANCED` menuitem you have at allocated at least 4 CPUs, 8.0 GiB Memory, and 1.0 GiB Swap.
 
-1.  First go into the Docker Desktop preferences. Under the resource tabs ensure
-    that you have at least 4 CPUs, 8.0 GiB Memory, and 1.0 GiB Swap. 
+1.  Under the `Kubernetes` tab, check the   `Enable Kubernetes` box.
 
-1.  Under the Kubernetes tab, enable Kubernetes.
+    * *Note: the Kubernetes version Docker Desktop will use is displayed at the top of the window.*
 
-1.  Click the Apply and Restart button to save the preferences.
+1.  Click the `Apply and Restart` button to save the preferences.
 
 1.  Switch the proper `kubectl` config context:
 
     ```bash
     kubectl config get-contexts # You should see docker-for-desktop in the previous command output
     kubectl config use-context docker-for-desktop
     ```
+    * *Note: Docker Desktop menu provides a `Kubernetes` menuitem that allows you to select between contexts which is equivalent to the `kubectl` command.*
 
 ### To setup a cluster with GKE:
 

README.md

@@ -38,7 +38,10 @@ a cluster with **Kubernetes version 1.16 or later***.
 | Version | Docs | Examples |
 | ------- | ---- | -------- |
 | [HEAD](DEVELOPMENT.md#install-pipeline) | [Docs @ HEAD](/docs/README.md) | [Examples @ HEAD](/examples) |
-| [v0.14.2](https://github.com/tektoncd/pipeline/releases/tag/v0.14.2) | [Docs @ v0.14.1](https://github.com/tektoncd/pipeline/tree/v0.14.2/docs#tekton-pipelines) | [Examples @ v0.14.2](https://github.com/tektoncd/pipeline/tree/v0.14.2/examples#examples) |
+| [v0.15.1](https://github.com/tektoncd/pipeline/releases/tag/v0.15.1) | [Docs @ v0.15.1](https://github.com/tektoncd/pipeline/tree/v0.15.1/docs#tekton-pipelines) | [Examples @ v0.15.1](https://github.com/tektoncd/pipeline/tree/v0.15.1/examples#examples) |
+| [v0.15.0](https://github.com/tektoncd/pipeline/releases/tag/v0.15.0) | [Docs @ v0.15.0](https://github.com/tektoncd/pipeline/tree/v0.15.0/docs#tekton-pipelines) | [Examples @ v0.15.0](https://github.com/tektoncd/pipeline/tree/v0.15.0/examples#examples) |
+| [v0.14.3](https://github.com/tektoncd/pipeline/releases/tag/v0.14.3) | [Docs @ v0.14.3](https://github.com/tektoncd/pipeline/tree/v0.14.3/docs#tekton-pipelines) | [Examples @ v0.14.3](https://github.com/tektoncd/pipeline/tree/v0.14.3/examples#examples) |
+| [v0.14.2](https://github.com/tektoncd/pipeline/releases/tag/v0.14.2) | [Docs @ v0.14.2](https://github.com/tektoncd/pipeline/tree/v0.14.2/docs#tekton-pipelines) | [Examples @ v0.14.2](https://github.com/tektoncd/pipeline/tree/v0.14.2/examples#examples) |
 | [v0.14.1](https://github.com/tektoncd/pipeline/releases/tag/v0.14.1) | [Docs @ v0.14.1](https://github.com/tektoncd/pipeline/tree/v0.14.1/docs#tekton-pipelines) | [Examples @ v0.14.1](https://github.com/tektoncd/pipeline/tree/v0.14.1/examples#examples) |
 | [v0.14.0](https://github.com/tektoncd/pipeline/releases/tag/v0.14.0) | [Docs @ v0.14.0](https://github.com/tektoncd/pipeline/tree/v0.14.0/docs#tekton-pipelines) | [Examples @ v0.14.0](https://github.com/tektoncd/pipeline/tree/v0.14.0/examples#examples) |
 | [v0.13.2](https://github.com/tektoncd/pipeline/releases/tag/v0.13.2) | [Docs @ v0.13.2](https://github.com/tektoncd/pipeline/tree/v0.13.2/docs#tekton-pipelines) | [Examples @ v0.13.2](https://github.com/tektoncd/pipeline/tree/v0.13.2/examples#examples) |

cmd/controller/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"flag"
+	"log"
 
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/reconciler/pipelinerun"
@@ -34,34 +35,24 @@ const (
 )
 
 var (
-	entrypointImage = flag.String("entrypoint-image", "override-with-entrypoint:latest",
-		"The container image containing our entrypoint binary.")
-	nopImage               = flag.String("nop-image", "tianon/true", "The container image used to stop sidecars")
-	affinityAssistantImage = flag.String("affinity-assistant-image", "nginx", "The container image used for the Affinity Assistant")
-	gitImage               = flag.String("git-image", "override-with-git:latest",
-		"The container image containing our Git binary.")
-	credsImage = flag.String("creds-image", "override-with-creds:latest",
-		"The container image for preparing our Build's credentials.")
-	kubeconfigWriterImage = flag.String("kubeconfig-writer-image", "override-with-kubeconfig-writer:latest",
-		"The container image containing our kubeconfig writer binary.")
-	shellImage  = flag.String("shell-image", "busybox", "The container image containing a shell")
-	gsutilImage = flag.String("gsutil-image", "google/cloud-sdk",
-		"The container image containing gsutil")
-	buildGCSFetcherImage = flag.String("build-gcs-fetcher-image", "gcr.io/cloud-builders/gcs-fetcher:latest",
-		"The container image containing our GCS fetcher binary.")
-	prImage = flag.String("pr-image", "override-with-pr:latest",
-		"The container image containing our PR binary.")
-	imageDigestExporterImage = flag.String("imagedigest-exporter-image", "override-with-imagedigest-exporter-image:latest",
-		"The container image containing our image digest exporter binary.")
-	namespace = flag.String("namespace", corev1.NamespaceAll, "Namespace to restrict informer to. Optional, defaults to all namespaces.")
+	entrypointImage          = flag.String("entrypoint-image", "", "The container image containing our entrypoint binary.")
+	nopImage                 = flag.String("nop-image", "", "The container image used to stop sidecars")
+	gitImage                 = flag.String("git-image", "", "The container image containing our Git binary.")
+	credsImage               = flag.String("creds-image", "", "The container image for preparing our Build's credentials.")
+	kubeconfigWriterImage    = flag.String("kubeconfig-writer-image", "", "The container image containing our kubeconfig writer binary.")
+	shellImage               = flag.String("shell-image", "", "The container image containing a shell")
+	gsutilImage              = flag.String("gsutil-image", "", "The container image containing gsutil")
+	buildGCSFetcherImage     = flag.String("build-gcs-fetcher-image", "", "The container image containing our GCS fetcher binary.")
+	prImage                  = flag.String("pr-image", "", "The container image containing our PR binary.")
+	imageDigestExporterImage = flag.String("imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
+	namespace                = flag.String("namespace", corev1.NamespaceAll, "Namespace to restrict informer to. Optional, defaults to all namespaces.")
 )
 
 func main() {
 	flag.Parse()
 	images := pipeline.Images{
 		EntrypointImage:          *entrypointImage,
 		NopImage:                 *nopImage,
-		AffinityAssistantImage:   *affinityAssistantImage,
 		GitImage:                 *gitImage,
 		CredsImage:               *credsImage,
 		KubeconfigWriterImage:    *kubeconfigWriterImage,
@@ -71,6 +62,9 @@ func main() {
 		PRImage:                  *prImage,
 		ImageDigestExporterImage: *imageDigestExporterImage,
 	}
+	if err := images.Validate(); err != nil {
+		log.Fatal(err)
+	}
 	sharedmain.MainWithContext(injection.WithNamespaceScope(signals.NewContext(), *namespace), ControllerLogKey,
 		taskrun.NewController(*namespace, images),
 		pipelinerun.NewController(*namespace, images),

cmd/kubeconfigwriter/main.go

@@ -24,11 +24,11 @@ import (
 	"strings"
 
 	"github.com/tektoncd/pipeline/pkg/apis/resource/v1alpha1/cluster"
-	"github.com/tektoncd/pipeline/pkg/logging"
 	"go.uber.org/zap"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"knative.dev/pkg/logging"
 )
 
 var (

cmd/nop/README.md

@@ -0,0 +1,38 @@
+# `nop` Image
+
+This image is responsible for two internal functions of Tekton:
+
+1. Stopping sidecar containers[#stopping-sidecar-containers]
+1. Affinity Assistant StatefulSet[#affinity-assistant-statefulset]
+
+The `nop` image satisfies these two functions with a minimally small image,
+both to optimize image pull latency and to present a minimal surface for a
+potential attacker.
+
+## Stopping sidecar containers
+
+When all steps in a TaskRun are complete, Tekton attempts to gracefully stop
+any running sidecar containers, by replacing their `image` with an image that
+exits immediately, regardless of any `args` passed to the container.
+
+When the `nop` image is run with any args (except one unique string, described
+[below](#affinity-assistant-statefulset)), it will exit with the exit code zero
+immediately.
+
+* **NB:** If the sidecar container has its `command` specified, the `nop`
+  binary will not be invoked, and may exit with a non-zero exit code. Tekton
+  will not interpret this as a TaskRun failure, but it may result in noisy
+  logs/metrics being emitted.
+
+## Affinity Assistant StatefulSet
+
+The Affinity Assistant, which powers [workspaces](docs/workspaces.md), works
+by running a
+[`StatefulSet`](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/)
+with an container that runs indefinitely. This container doesn't need to _do_
+anything, it just needs to exist.
+
+When the `nop` image is passed the string `tekton_run_indefinitely` (a unique,
+Tekton-identified string), it will run indefinitely until it receives a signal
+to terminate. The affinity assistant StatefulSet passes this arg to ensure its
+container runs indefinitely.

cmd/nop/kodata/HEAD

@@ -0,0 +1 @@
+../../../.git/HEAD

cmd/nop/kodata/LICENSE

@@ -0,0 +1 @@
+../../../LICENSE

cmd/nop/kodata/refs

@@ -0,0 +1 @@
+../../../.git/refs

cmd/nop/kodata/third_party

@@ -0,0 +1 @@
+../../../third_party

cmd/nop/main.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2020 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+func main() {
+	if len(os.Args) >= 2 && os.Args[1] == "tekton_run_indefinitely" {
+		log.Println("Waiting indefinitely...")
+		ch := make(chan os.Signal)
+		signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
+		log.Println("received signal:", <-ch)
+	}
+
+	log.Println("Exiting...")
+	os.Exit(0)
+}

config/101-podsecuritypolicy.yaml

@@ -30,7 +30,7 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:

config/200-clusterrole.yaml

@@ -39,10 +39,6 @@ rules:
   - apiGroups: ["tekton.dev"]
     resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

config/200-role.yaml

@@ -30,6 +30,10 @@ rules:
     resources: ["configmaps"]
     verbs: ["get"]
     resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -59,3 +63,7 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "update"]
     resourceNames: ["webhook-certs"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]

config/config-artifact-bucket.yaml

@@ -28,3 +28,6 @@ metadata:
 #    bucket.service.account.secret.name:
 #    # The key in the secret with the required service account json
 #    bucket.service.account.secret.key:
+#    # The field name that should be used for the service account
+#    # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG.
+#    bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS

config/config-defaults.yaml

@@ -61,4 +61,10 @@ data:
     # Note that right now it is still not possible to set a PipelineRun or
     # TaskRun specific sink, so the default is the only option available.
     # If no sink is specified, no CloudEvent is generated
-    # default-cloud-events-sink:
+    # default-cloud-events-sink:
+      
+    # default-task-run-workspace-binding contains the default workspace
+    # configuration provided for any Workspaces that a Task declares
+    # but that a TaskRun does not explicitly provide.
+    # default-task-run-workspace-binding: |
+    #   emptyDir: {}

config/controller.yaml

@@ -62,18 +62,11 @@ spec:
           "-creds-image", "ko://github.com/tektoncd/pipeline/cmd/creds-init",
           "-git-image", "ko://github.com/tektoncd/pipeline/cmd/git-init",
           "-entrypoint-image", "ko://github.com/tektoncd/pipeline/cmd/entrypoint",
+          "-nop-image", "ko://github.com/tektoncd/pipeline/cmd/nop",
           "-imagedigest-exporter-image", "ko://github.com/tektoncd/pipeline/cmd/imagedigestexporter",
           "-pr-image", "ko://github.com/tektoncd/pipeline/cmd/pullrequest-init",
           "-build-gcs-fetcher-image", "ko://github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher",
 
-          # This image is used as a placeholder pod, the Affinity Assistant
-          # TODO(#2640) We may want to create a custom, minimal binary
-          # As of June 8, 2020, tag 1.19.0
-          "-affinity-assistant-image", "nginx@sha256:c870bf53de0357813af37b9500cb1c2ff9fb4c00120d5fe1d75c21591293c34d",
-
-          # These images are pulled from Dockerhub, by digest, as of May 19, 2020.
-          # As of May 29, 2020 new sha for nop image
-          "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b",
           # This is google/cloud-sdk:293.0.0-slim
           "-gsutil-image", "google/cloud-sdk@sha256:37654ada9b7afbc32828b537030e85de672a9dd468ac5c92a36da1e203a98def",
           # The shell image must be root in order to create directories and copy files to PVCs.
@@ -91,6 +84,8 @@ spec:
         # If you are changing these names, you will also need to update
         # the controller's Role in 200-role.yaml to include the new
         # values in the "configmaps" "get" rule.
+        - name: CONFIG_DEFAULTS_NAME
+          value: config-defaults
         - name: CONFIG_LOGGING_NAME
           value: config-logging
         - name: CONFIG_OBSERVABILITY_NAME
@@ -105,6 +100,9 @@ spec:
           value: config-leader-election
         - name: METRICS_DOMAIN
           value: tekton.dev/pipeline
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
       volumes:
         - name: config-logging
           configMap:

config/webhook.yaml

@@ -82,6 +82,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          runAsUser: 1001
         ports:
         - name: metrics
           containerPort: 9090