Switch to ghcr.io/distroless/busybox for shell-image
#4762
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tekton-robot
added
release-note
mattmoor
force-pushed
the
shell-image-nonroot
branch
from
d3b4487
to
315ef44
Compare
tekton-robot
added
size/S
mattmoor
commented
Apr 14, 2022
mattmoor
force-pushed
the
shell-image-nonroot
branch
from
315ef44
to
2752c85
Compare
tekton-robot
added
size/M
This is very similar to tektoncd#4758 and tektoncd#4717 but for `shell-image`. This switches the default user of the `shell-image` to `nonroot`, which forces Tekton to be explicit about all of the places it needs a shell as `root` using `runAsUser: 0`. This also switches things over to a much leaner `busybox` image (no `glibc`), which is the main thing we use `base:debug` for with the OG distroless images. Fixes: tektoncd#4761 Related: tektoncd#4752
mattmoor
force-pushed
the
shell-image-nonroot
branch
from
2752c85
to
90e86cf
Compare
mattmoor
changed the title
ghcr.io/distroless/busybox for shell-imageghcr.io/distroless/busybox for shell-image
tekton-robot
removed
the
do-not-merge/work-in-progress
|
/hold I am optimistic this will now pass e2e testing, so removing the |
tekton-robot
added
the
do-not-merge/hold
|
/lgtm Thanks! |
|
/test pull-tekton-pipeline-alpha-integration-tests Sidecar test flake 😞 |
|
isolated-workspaces 🙄 /test pull-tekton-pipeline-alpha-integration-tests |
vdemeester
approved these changes
Apr 15, 2022
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/test pull-tekton-pipeline-integration-tests Going to run e2e once more with the nightly images |
|
Let's get it baking /hold cancel |
tekton-robot
removed
the
do-not-merge/hold
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is very similar to #4758 and #4717 but for
shell-image. This switches the default user of theshell-imagetononroot, which forces Tekton to be explicit about all of the places it needs a shell asrootusingrunAsUser: 0.This also switches things over to a much leaner
busyboximage (noglibc), which is the main thing we usebase:debugfor with the OG distroless images.Fixes: #4761
Related: #4752
/kind cleanup
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
(if there are no user facing changes, use release note "NONE")
Release Notes