New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SHIP-0036: Part 2: Introduce securityContext for build strategy spec #1266
SHIP-0036: Part 2: Introduce securityContext for build strategy spec #1266
Conversation
024c9d6
to
7b7890a
Compare
7b7890a
to
6e20188
Compare
16b4eca
to
86a0c55
Compare
86a0c55
to
8f0cc0f
Compare
/hold |
8f0cc0f
to
005cafc
Compare
if flagValues.verbose { | ||
log.Printf("Debug: %s %s\n", path, check.versionArg) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is really just that line, I would actually say to remove the verbose
flag.
005cafc
to
56dca35
Compare
56dca35
to
2313d38
Compare
2313d38
to
1c4cbe8
Compare
/unhold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: HeavyWombat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
This is part of the implementation of SHIP-0036: RunAs user and group for supporting steps.
This pull request introduces the
securityContext
on the BuildStrategy. It changes the BuildRun reconciler to set therunAsUser
andrunAsGroup
of steps based on the build strategy'ssecurityContext
./etc/group
and/etc/passwd
are mounted through downward API volumes as described in the ship.In the Git step implementation I also added a
verbose
flag. This is false by default and not enabled anywhere. I needed it for additional logging during the implementation. As this can be helpful in future changes, I left it in, but can also remove it if desired.The .ko.yaml is updated to use the new base images from part 1. The configuration was updated to have stricter security context's without privilege escalation and capabilities, and with the new shared home directory.
All sample build strategies have been updated to specify a strategy-level security context. The now unnecessary prepare steps have all been removed. The Paketo strategies are now using the Jammy builder and are proving that it is possible to run as an alternative non-root user successfully.
The change in gomega.go introduces an additional matcher. I am retaining it although the test code where I used it does not exist anymore after I refactored the solution based on feedback in the ship.
Documentation has been updated.
I am marking this as HOLD because a rollout must be coordinated with the PR SHIP-0036: Part 1: Update base images to allow an arbitrary user to run it #1268. Once both are approved, then
DO NOT MERGE Use base images from other pull request
will be updated to use the base images from the other PR.Submitter Checklist
Release Notes