Open skaegi opened 5 years ago
tekton-robot
commented
4 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Send feedback to tektoncd/plumbing.
tekton-robot
commented
4 years ago Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close
Send feedback to tektoncd/plumbing.
tekton-robot
commented
4 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
tekton-robot
commented
4 years ago @tekton-robot: Closing this issue.
vdemeester
commented
4 years ago /remove-lifecycle rotten /remove-lifecycle stale /reopen
tekton-robot
commented
4 years ago @vdemeester: Reopened this issue.
tekton-robot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Send feedback to tektoncd/plumbing.
tekton-robot
commented
3 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
tekton-robot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
tekton-robot
commented
3 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
dibyom
commented
3 years ago Waiting on https://github.com/kubernetes/enhancements/issues/127 to be implemented.
One real challenge for Tekton adoption in environments concerned with security is that "many" images used for CI/CD run as "root". In many cases this is simply because images were not authored using the principle of least privilege but in others there are legitimate reasons why root is needed. Regardless, the net result is that running arbitrary images in your Tekton tasks requires caution and in some cases requires more draconian measures like permitting no root user.
There's a nice solution to the problem when running non-"privileged" images -- user namespace remapping. This is an approach offered in many container runtimes but sadly is still a WIP in Kubernetes -- https://github.com/kubernetes/enhancements/issues/127.
In Tekton we run an
entrypointbinary in our steps so I wonder if we might look at doing the user namespace remapping (similar to what rootless buildkit does) there before we run the actual step payload. In this way we could have support now in Tekton and adduserns-remapsyntax to our taskrun or step specs now and when/if K8 offers support switch implementation.