Track the buildah support and plan for shipwright build

shipwright-io / build

Shipwright - a framework for building container images on Kubernetes

https://shipwright.io

Apache License 2.0

670 stars 113 forks source link

Track the buildah support and plan for shipwright build #134

Open zhangtbj opened 4 years ago

zhangtbj commented 4 years ago

As I know, there is some discussion before with buildah team to support non-privileged mode.

We need an issue to track the status and what we need to do to support buildah.

It is also a blocker because s2i also depends on buildah.

There are some discussions in the buildah repo: https://github.com/containers/buildah/issues/1335

Maybe we need a plan or workaround for that in future.

sbose78 commented 4 years ago

What is the best way to have a test net to make the environment reject privileged builds on travis for kube ?

sbose78 commented 4 years ago

It is also a blocker because s2i also depends on buildah.

I remember this being tracked somewhere, if this blocks s2i usage, let's use something other than buildah for building s2i Dockerfiles. @otaviof

zhangtbj commented 4 years ago

There is some reply: https://github.com/containers/buildah/issues/2262

docker run -it --rm --security-opt seccomp=unconfined \
    --security-opt apparmor=unconfined \
     quay.io/buildah/stable:latest bash
buildah pull busybox

It works!

k8s PodSecurityPolicy annotations - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp

Let us try later.

sbose78 commented 4 years ago

@zhangtbj do you know which podsecuritypolicy should have these annotations?

apparmor.security.beta.kubernetes.io/defaultProfileName: unconfined
seccomp.security.alpha.kubernetes.io/defaultProfileName: unconfined

Do we need to:

Create a PodSecurityPolicy my-pipeline-psp
Create a pipeline sa
Create a role with (1) and create the corresponding rolebinding with (2)
Use pipeline sa for the BuildRun / TaskRun ?

zhangtbj commented 4 years ago

Hi @sbose78 ,

I still don't know the correct annotations now, I searched and found someone said should use unconfined, but it also doesn't work for me, maybe still need other configurations or other capabilities.

BTW, yes, this is what we do right now in our system: 1, we create a new SA with the special PSP(Add chown, chmod, runasroot for kaniko and buildpacks now), custerrole and clusterrolebinding 2, Change tekton controller to use this new SA 3, Then we can only allow tekton to create the pod with additional capabilities, but for tenant user, they still use the original SA/PSP. it works.

sbose78 commented 4 years ago

Things have made progress here https://github.com/openshift/pipelines-catalog/pull/56

Need to map the following to kubernetes: The service account for the controller and optionally the service account which runs the TaskRun needs to have anyuid. That's an openshift concept but can be mapped to kubernetes. https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html