RHDEVDOCS-3306: Document running image build tasks as unprivileged builds #44733

HarshCasper · 2022-04-20T09:42:17Z

JIRA ID: RHDEVDOCS-3306
Applies for OCP 4.10+
Aligned team: DevTools
SME review:
Peer Review: @rolfedh @abrennan89
Docs Preview:

netlify · 2022-04-20T09:45:26Z

✅ Deploy Preview for osdocs ready!

Name	Link
🔨 Latest commit	e51a3c8f3e883c7332158f689b302f72fba5ce05
🔍 Latest deploy log	https://app.netlify.com/sites/osdocs/deploys/62725929aead870008037a49
😎 Deploy Preview	https://deploy-preview-44733--osdocs.netlify.app/openshift-enterprise/latest/cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

modules/op-security-with-custom-scc.adoc

_topic_maps/_topic_map.yml

cicd/pipelines/running-workload-as-user-namespaces-on-openshift-pipelines.adoc

modules/op-running-as-root-user-namespace.adoc

cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines.adoc

modules/op-running-as-root-user-namespace.adoc

cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines.adoc

modules/op-running-as-root-user-namespace.adoc

modules/op-running-as-rootless-in-container.adoc

modules/op-security-with-custom-scc.adoc

rolfedh · 2022-04-22T13:00:57Z

Please make sure to include elements/follow practices that are required by the mod docs standard and Jupiter.
Here's an excerpt from a template that I generated using the newdoc tool. (I used "trash" as the filename, so ignore that.) Some of these requirements involve:

the file name
the id
the content type

////
Base the file name and the ID on the module title. For example:
* file name: proc-doing-procedure-a.adoc
* ID: [id="proc-doing-procedure-a_{context}"]
* Title: = Doing procedure A

The ID is an anchor that links to the module. Avoid changing it after the module has been published to ensure existing links are not broken.

The `context` attribute enables module reuse. Every module ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.
////

////
Indicate the module type in one of the following
ways:
Add the prefix proc- or proc_ to the file name.
Add the following attribute before the module ID:
////
:_content-type: PROCEDURE

[id="proc_trash_{context}"]
= trash

abrennan89

Added some review comments. Happy to take another look once a new preview has been added.

See https://docs.google.com/document/u/2/d/e/2PACX-1vRLKWEMHQ3DZroxZKfTu3XcrSdREr6D3oSSayBanEprXhkA2Ciyr2SQuDTYI4aIKUiOPPIQMHgjHeh8/pub#h.vrlifsbvvjd8 for instructions on adding a manual preview @HarshCasper

abrennan89 · 2022-06-15T12:42:07Z

@HarshCasper please also add the affected versions to the description

abrennan89

Added a review

cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines.adoc

modules/op-running-as-root-user-namespace.adoc

modules/op-running-unpriveleged-builds-in-a-container.adoc

modules/op-using-custom-scc-to-improve-prod-security.adoc

abrennan89 · 2022-06-15T15:39:58Z

modules/op-using-custom-scc-to-improve-prod-security.adoc

+* Edit the `pipelines-scc` and modify the `runAsUser` and `seLinuxContext`.
+
+[source,yaml,subs="attributes+"]
+----


same comment as per runAsUser and seLinuxContext - literals should always have a noun explaining them

modules/op-running-unpriveleged-builds-in-a-container.adoc

HarshCasper · 2022-06-17T17:42:13Z

modules/op-running-unpriveleged-builds-in-a-container.adoc

+The following output is displayed:
+
+[source,terminal]


Need SME input here.

modules/op-running-unpriveleged-builds-in-a-container.adoc

ppitonak · 2022-06-21T07:17:52Z

modules/op-running-unpriveleged-builds-in-a-container.adoc

+...
+----
+
+. Test it using the above `ConfigMap` object workspace along with a sample DockerFile and a sample taskrun.


Which sample?

Who is this question for? As the SMEs here, @chmouel and @ppitonak, please make actionable recommendations.

ppitonak · 2022-06-21T07:20:59Z

modules/op-using-custom-scc-to-improve-prod-security.adoc

+
+.Procedure
+
+* Edit the `pipelines-scc` and modify the `runAsUser` and `seLinuxContext`:


IMHO it's safer to create a new SCC. This one is managed by operator so it could be removed or changed after updating OpenShift Pipelines.

modules/op-using-custom-scc-to-improve-prod-security.adoc

modules/op-running-unpriveleged-builds-in-a-container.adoc

cicd/pipelines/running-workloads-and-buildah-as-user-namespaces-on-openshift-pipelines.adoc

rolfedh · 2022-06-23T17:09:40Z

modules/op-running-as-root-user-namespace.adoc

+:_content-type: PROCEDURE
+
+[id="op-running-as-root-user-namespace_{context}"]
+= Running as root in a user namespace


Based on Jake's comment below, how about:

Suggested change

= Running as root in a user namespace

= Running buildah as root in a user namespace

Okay @jc-berger ?

modules/op-running-as-root-user-namespace.adoc

modules/op-running-unpriveleged-builds-in-a-container.adoc

…ilds

openshift-ci bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 20, 2022

chmouel reviewed Apr 21, 2022

View reviewed changes

modules/op-security-with-custom-scc.adoc Outdated Show resolved Hide resolved

modules/op-security-with-custom-scc.adoc Outdated Show resolved Hide resolved

HarshCasper force-pushed the RHDEVDOCS-3306 branch from 8714c96 to 9d45f7d Compare April 21, 2022 08:47

siamaksade reviewed Apr 21, 2022

View reviewed changes

_topic_maps/_topic_map.yml Outdated Show resolved Hide resolved