Closed elalo-deloitte closed 1 year ago
@elalo-deloitte Thanks for the issue. The "panic" happened in the task, making it fail right ?
If that's the case, this is most likely an oscpa-podman
issue, and would need to be reported in the corresponding issue tracker (which, I think, is https://github.com/OpenSCAP/openscap/issues).
@vdemeester thanks for the reply. I wondered that too, but this same container and overall process runs fine in GitLab CI and in my local docker environment.
That makes me think it's related to Tekton.
@elalo-deloitte it's probably related on the permission you have on the TaskRun, but it doesn't relate directly to Tekton and tektoncd/pipeline
.
Depending on your platform, by default, the Pod (and thus the TaskRun) might run as randomuid, or as root but with some remove privileges, … And depending on that, the oscap-podman
might fail. Depending on where gitlab-ci
runs (a VM, a privileged container, …), it probably has more privileges and thus it succeeds here. For example, to get podman
to run in a container, in kubernetes, it needs a set of privileges (SET_FCAP, …, allowPriligedEscalation) to run successfully, and those privileges are usually disabled by default.
It is probably expected that it fails, but oscap-podman
should probably not panic and give you a human-readable message instead (explaining what's missing, so you can figure out what to do to make it run successfully). Hence my recommandation on filling a bug on https://github.com/OpenSCAP/openscap/issues 👼🏼.
Understood, thanks for info!
Expected Behavior
I have a pipeline task which uses a container with podman and oscap-podman. The task is supposed to load the container via a
.tar
file and then run an OSCAP scan.Here's the actual script that gets run.
Actual Behavior
The task successfully loads the image but then errors out with
Steps to Reproduce the Problem
Additional Info
Kubernetes version:
Tekton Pipeline version: v0.47.0
Task Log
Eventlistener
Pipeline
Task
Thanks!