From 078f08168b2cc3f60ccf7c4acc63c666350eb6b0 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Tue, 12 May 2020 16:10:21 +0200 Subject: [PATCH] =?UTF-8?q?Run=20tekton=20containers=20as=20nonroot=20?= =?UTF-8?q?=F0=9F=90=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This changes a slew of containers that Tekton runs to use non-root base images. Signed-off-by: Vincent Demeester --- .ko.yaml | 9 ++++++++- config/controller.yaml | 4 +++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.ko.yaml b/.ko.yaml index 03684543aa9..b227e7c1341 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -1,7 +1,14 @@ +defaultBaseImage: gcr.io/distroless/static:nonroot baseImageOverrides: + # These base images run as root, which is needed for how they handle SSH credentials. + # They are produced from ./images/Dockerfile github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest - github.com/tektoncd/pipeline/cmd/entrypoint: busybox # image must have `cp` in $PATH + # GCS fetcher needs root due to workspace permissions + github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest + + # Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location. + github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot baseBuildOverrides: github.com/tektoncd/pipeline/cmd/controller: flags: diff --git a/config/controller.yaml b/config/controller.yaml index 3dd0ecd4946..61ce4649e97 100644 --- a/config/controller.yaml +++ b/config/controller.yaml @@ -68,8 +68,10 @@ spec: # These images are pulled from Dockerhub, by digest, as of April 15, 2020. "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b", - "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6", "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e", + # The shell image must be root in order to create directories and copy files to PVCs. + # As of April 17, 2020 + "-shell-image", "gcr.io/distroless/base:debug@sha256:dac57423f6d9210198e1ac25de9f6d48753196a112aa2deb22f54e984cfd462d", ] volumeMounts: - name: config-logging