New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow running buildah on newer nodes #806
Conversation
|
Hi @ibotty. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No release notes are necessary (afaict), so what should I do? |
/ok-to-test |
@gabemontero what are your thoughts 🧑💻 |
i think a 1 line release will help our users to be aware of this change. but to get rid of the block without adding a release-note add
at the end of our pr description. |
a release note like this will help our users:
|
I added the release notes as suggested. You are certainly right. BTW: I plan to do a pull request in tektoncd's catalog when the review here is done. |
/assign @piyush-garg |
@piyush-garg do we need to add similar securityContext blocks to all the s2i tasks in our addons here |
@ibotty is this PR tested on any OpenShift cluster? I am not able to run the tasks as a normal user |
Yes, after manually changing the scc and copying the buildah-task to add the changes I can run it on OKD 4.8. I did not built a different operator and let it change the crds though. |
ok @ibotty @nikhil-thomas @piyush-garg
for @nikhil-thomas 's question to myself, @adambkaplan, and @sbose78 about the security implications, I'm not sure I feel qualified to respond with confidence on how good or bad that additional change is, but I believe @nalind did tell me this was not a temporary state of affairs. That it was what would be needed moving forward. @nalind - do you have any input on the relative safety or lack there of around CAP_SETFCAP
that's all I got - thanks |
note: as I understand it, "the problem" and need for this new permission only applies to running on OCP 4.11 |
/hold let us get some more 👀 on this. |
It did not work for me as a normal user, but worked as a kubeadmin |
@piyush-garg: Are you sure you the
|
And on OKD since, I guess, forever. |
That's right, I have no reason to expect the kernel to revert this.
I'm not an expert on that.
I must have misspoken. The most we can do there is check for that capability (near the existing check for CAP_SYS_ADMIN) and suggest it as a possible cause when we fail to set up the ID mappings. |
Argh! I forgot to mention, I am using the task with |
It should be noted that https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline |
good catch @adambkaplan forgot to look there yes that is probably the best answer to say it is "OK" for |
Yes, i see it like this and not able to create pod. taskrun not able to convert to pod |
I tried this pr on OCP 4.11
steps performed
pods created are using pipeline-scc |
Argh. While trying to debug the problem I noticed, that I did make a copy-paste error: the capabilities are not prepended with Should I update the PR to add (the right) capability to all other s2i tasks as well? |
025b581
to
1e4ff69
Compare
|
||
- name: digest-to-results | ||
image: $(params.BUILDER_IMAGE) | ||
script: cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST | ||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We dont need to add the capability for this step
Aah thanks, i also misunderstood that we need to add the capabilities as like in linux but it is different for containers. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Yes we need to do the change for all s2i tasks too, but only for the build and push steps, not all |
1e4ff69
to
33316e9
Compare
...ator/kodata/tekton-addon/addons/02-clustertasks/source_local/s2i-dotnet/s2i-dotnet-task.yaml
Outdated
Show resolved
Hide resolved
33316e9
to
dc79d1c
Compare
Followed up, looks good 👍 |
/lgtm |
/lgtm |
Changes
This will allow running buildah on nodes with kernel 5.12 or later.
Buildah requires the
SETFCAP
capability to work. This pull requests updates OpenShift SCC to allow adding this capability and the includedbuildah
clustertask to request it.I do not have access to clusters with older kernels so I don't know whether it will work on these nodes.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes