Documentation and Example on Running Step Containers as Non Root #2512
Conversation
tekton-robot
added
the
size/L
| - --destination=$(outputs.resources.builtImage.url) | ||
| - --context=$(inputs.params.pathToContext) | ||
| - --oci-layout-path=$(inputs.resources.builtImage.path) | ||
| securityContext: |
There was a problem hiding this comment.
Not necessary as will run as root by default
There was a problem hiding this comment.
@danielhelfand this is not entirely true 😝 It depends on the kubernetes configuration. For example, we need this in OpenShift to make sure it knows it wants to run as root.
There was a problem hiding this comment.
Ah, yeah. Goes back downstream. My fault. Will add back.
| podTemplate: | ||
| securityContext: | ||
| runAsNonRoot: true | ||
| runAsUser: 1001 |
There was a problem hiding this comment.
Maybe update the last sentence of the paragraph describing this example from and executes it as a non-root user. to and executes it as user 1001.?
docs/taskruns.md
Outdated
| user to run as: | ||
|
|
||
| ```yaml | ||
| --- |
There was a problem hiding this comment.
Yeah, it's not. Copy and paste from example gone bad.
| ``` | ||
|
|
||
| In the example above, the step `show-user-2000` specifies via a `securityContext` that the container | ||
| for the step should run as user 2000. A `securityContext` must still be specified via a TaskRun `podTemplate` |
There was a problem hiding this comment.
I'm wary of redocumenting things that kubernetes does but do you think it would it be worth calling out runAsNonRoot for what it does? It is suuuuper confusing that it looks so similar to runAsUser but only validates.
There was a problem hiding this comment.
Yeah, I agree about it being confusing. I can tweak the language to highlight this.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sbwsg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
danielhelfand
force-pushed
the
security_context_docs
branch
from
f80fbb9 to
62a2a1e
Compare
|
|
||
| The `runAsNonRoot` property specified via the `podTemplate` above validates that steps part of this TaskRun are | ||
| running as non root users and will fail to start any step container that attempts to run as root. Only specifying | ||
| `runAsNonRoot: true` will not actually run containers as non root as the property simply validates that steps are not |
|
Thanks for documenting this! /lgtm |
Closes #2179
This pull request adds documentation on running step containers as non root as well as a TaskRun example of doing so.
A follow up to this should be running containers as root best practices especially in Kubernetes clusters that enforce not allowing containers to run as root by default (e.g. clusters provisioned by Tanzu Mission Control).
I have intentionally left out doing this for PipelineRuns as there are features coming in around allowing specifying taskRunSpecs for PipelineRuns that could change best approaches, but I feel that having examples of Tasks/TaskRuns should be enough to illustrate the concept. Let me know if adding this info to PipelineRuns would be helpful, and I can do so.
Submitter Checklist
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes