SHIP-0036: Part 2: Introduce securityContext for build strategy spec

[SaschaSchwarze0]

Changes

This is part of the implementation of SHIP-0036: RunAs user and group for supporting steps.

This pull request introduces the securityContext on the BuildStrategy. It changes the BuildRun reconciler to set the runAsUser and runAsGroup of steps based on the build strategy's securityContext. /etc/group and /etc/passwd are mounted through downward API volumes as described in the ship.

In the Git step implementation I also added a verbose flag. This is false by default and not enabled anywhere. I needed it for additional logging during the implementation. As this can be helpful in future changes, I left it in, but can also remove it if desired.

The .ko.yaml is updated to use the new base images from part 1. The configuration was updated to have stricter security context's without privilege escalation and capabilities, and with the new shared home directory.

All sample build strategies have been updated to specify a strategy-level security context. The now unnecessary prepare steps have all been removed. The Paketo strategies are now using the Jammy builder and are proving that it is possible to run as an alternative non-root user successfully.

The change in gomega.go introduces an additional matcher. I am retaining it although the test code where I used it does not exist anymore after I refactored the solution based on feedback in the ship.

Documentation has been updated.

I am marking this as HOLD because a rollout must be coordinated with the PR SHIP-0036: Part 1: Update base images to allow an arbitrary user to run it #1268. Once both are approved, then

• The HOLD will be removed from the other pull request.
• A manual run of the base images build will be triggered.
• The temporary commit DO NOT MERGE Use base images from other pull request will be updated to use the base images from the other PR.
• The HOLD label on this PR will be removed.
• After the tests finished, this PR will be merged.
• All existing pull requests will need to be rebased when changes are made because the old code cannot run with the new base images.

Submitter Checklist

• Includes tests if functionality changed/was added
• Includes docs if changes are user-facing
• Set a kind label on this PR
• Release notes block has been filled in, or marked NONE

Release Notes

You can now define a securityContext on build strategy level to control the runAs user for all steps including the shipwright-managed steps. This allows you to use any runAs user for your build strategy steps while still being able to run without any runAsRoot steps.

[SaschaSchwarze0]

/hold

[HeavyWombat]

If it is really just that line, I would actually say to remove the verbose flag.

[SaschaSchwarze0]

/unhold

[HeavyWombat]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: HeavyWombat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [HeavyWombat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment