-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shell-image
should specify to run as root when it needs it.
#4761
Comments
FYI this is the shell-image equivalent to: #4711 |
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
Ultimately the goal of this issue is to weaken this wording where
... to wording where the image must support running as |
One of the places that must be fixed up is here: pipeline/pkg/apis/resource/v1alpha1/storage/artifact_pvc.go Lines 66 to 80 in 80f9ac6
Clearly (from the comment) this code dealing with PVCs is one of the key places where the root requirement had originally stemmed from. I will see if/what else fails when these have an explicit |
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
This is very similar to #4758 and #4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: #4761 Related: #4752
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
Expected Behavior
A default nonroot version of
shell-image
can pass e2e testing without issues.Actual Behavior
permission denied setting up PVCs.
@imjasonh brought up a great point about the
script:
semantics as well, which are probably being run as root due to the choice of default user today, but I have not confirmed.Steps to Reproduce the Problem
Replace the
-shell-image
inconfig/controller.yaml
withghcr.io/distroless/busybox
(which is nonroot by default).The text was updated successfully, but these errors were encountered: