-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Mount entrypoint volume as read-only.
This change makes the entrypoint binary read-only by separating the /tekton/tools directory: - /tekton/bin - Mounted as RW by the place-tools init container, and RO for all user steps. This directory will hold Tekton provided binaries (i.e. entrypoint). - /tekton/run - Named after Linux's /run directory (https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard). This directory will hold Tekton runtime data (i.e. step post/wait files). This is being done as an extra layer of security to prevent any tampering of Tekton provided tools. This is similar in spirit to 89a6233 (making the scripts directory read-only). /tekton/tools was considered an internal directory, so this change is not bound to API compatibility/deprecation policies. This change should have no affect on the user API surface. This change does not try to address any issues with the shared post/wait file volume - this will be handled in another change.
- Loading branch information
Showing
11 changed files
with
325 additions
and
276 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.