Run tekton containers as nonroot 🐰

This changes a slew of containers that Tekton runs to use non-root base images.

Signed-off-by: Vincent Demeester <[email protected]>

.ko.yaml

@@ -1,7 +1,14 @@
+defaultBaseImage: gcr.io/distroless/static:nonroot
 baseImageOverrides:
+  # These base images run as root, which is needed for how they handle SSH credentials.
+  # They are produced from ./images/Dockerfile
   github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
   github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
-  github.com/tektoncd/pipeline/cmd/entrypoint: busybox  # image must have `cp` in $PATH
+  # GCS fetcher needs root due to workspace permissions
+  github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest
+
+  # Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location.
+  github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot
 baseBuildOverrides:
   github.com/tektoncd/pipeline/cmd/controller:
     flags:

config/controller.yaml

@@ -68,8 +68,10 @@ spec:
 
           # These images are pulled from Dockerhub, by digest, as of April 15, 2020.
           "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b",
-          "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6",
           "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e",
+          # The shell image must be root in order to create directories and copy files to PVCs.
+          # As of April 17, 2020
+          "-shell-image", "gcr.io/distroless/base:debug@sha256:dac57423f6d9210198e1ac25de9f6d48753196a112aa2deb22f54e984cfd462d",
         ]
         volumeMounts:
         - name: config-logging