Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reserve /tekton/ paths and "tekton-internal-" volume names #1701

Merged
merged 1 commit into from
Dec 16, 2019
Merged

Reserve /tekton/ paths and "tekton-internal-" volume names #1701

merged 1 commit into from
Dec 16, 2019

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented Dec 6, 2019
edited
Loading

Reserve /tekton/ paths and "tekton-internal-" volume names

This prevents collisions between user-specified volumes and
Tekton-internal volumes used to support execution.

Some validation changes:

  • volume names starting with "tekton-internal-" are not valid
  • volumeMounts that mount at /tekton/* are not valid -- except for /tekton/home, which we allow users to mount over, for instance if they want a PVC volume to persist the default home directory.

Tekton's own internal volume mounts are already mounted at /tekton/*,
and now all volume names start with "tekton-internal-"

Some Tekton-internal volume names were previously randomized to prevent
collisions, which is no longer necessary, so they're no longer
randomized.

creds-init mounts annotated K8s secrets into the creds-init process.
Previously those were mounted at /var/build-secrets/* (a relic of
knative/build times). Now those are mounted at /tekton/creds-secrets/*

Some init container names were also randomly generated, which is
unnecessary, so that's gone too.

/hold
dependent of #1700

Fixes #1304

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

Release Notes

Reject volune names starting with "tekton-internal-" and volume mounts mounting under /tekton/* -- these are reserved for Tekton internal implementation details.

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 6, 2019
@tekton-robot tekton-robot requested review from abayer and a user December 6, 2019 20:24
@googlebot googlebot added the cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit label Dec 6, 2019
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Dec 6, 2019
@imjasonh imjasonh changed the title Reserve tekton Reserve /tekton/ paths and "tekton-internal-" volume names Dec 6, 2019
@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1alpha1/task_validation.go 81.2% 81.8% 0.5

@vdemeester
Copy link
Member

@imjasonh needs a rebase 👼 🙏

@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/pipeline/v1alpha1/task_validation.go 81.2% 81.8% 0.5

@vdemeester
Copy link
Member

#1700 is merged, so I think we can remove the hold

/hold cancel
/retest

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 11, 2019
@imjasonh
Copy link
Member Author

Tests currently fail because we had previously allowed users to define their own /workspace and HOME volume, in case they wanted those to be persistent for instance.

I think that just means we need to keep allowing those to be mounted over, but not fully-internal paths like /tekton/scripts.

I'll try to fix this up today or tomorrow.

@imjasonh imjasonh force-pushed the reserve-tekton branch 2 times, most recently from b165cca to 5c542a4 Compare December 13, 2019 17:10
@ghost
Copy link

ghost commented Dec 13, 2019

/lgtm :shipit:

@ghost
Copy link

ghost commented Dec 13, 2019

/lgtm

@tekton-robot tekton-robot assigned ghost Dec 13, 2019
@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 13, 2019
@imjasonh
Reserve /tekton/ paths and "tekton-internal-" volume names
e1d2c60 
This prevents collisions between user-specified volumes and
Tekton-internal volumes used to support execution.

Some validation changes:
- volume names starting with "tekton-internal-" are not valid
- volumeMounts that mount at /tekton/* are not valid

Tekton's own internal volume mounts are already mounted at /tekton/*,
and now all volume names start with "tekton-internal-"

Some Tekton-internal volume names were previously randomized to prevent
collisions, which is no longer necessary, so they're no longer
randomized.

creds-init mounts annotated K8s secrets into the creds-init process.
Previously those were mounted at /var/build-secrets/* (a relic of
knative/build times). Now those are mounted at /tekton/creds-secrets/*

Some init container names were also randomly generated, which is
unnecessary, so that's gone too.
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Dec 13, 2019
@ghost
Copy link

ghost commented Dec 13, 2019

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 13, 2019
vdemeester
vdemeester approved these changes Dec 16, 2019
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 16, 2019
@tekton-robot tekton-robot merged commit fd07ff9 into tektoncd:master Dec 16, 2019
@dibbles dibbles mentioned this pull request Dec 16, 2019
Closed
@imjasonh imjasonh mentioned this pull request Dec 16, 2019
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester vdemeester approved these changes

@abayer abayer Awaiting requested review from abayer

Assignees

@vdemeester vdemeester

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reserve "tekton/" folder in taskrun filesystem
4 participants
@imjasonh @tekton-robot @vdemeester @googlebot