Mount entrypoint volume as read-only. #4242
Conversation
tekton-robot
added
kind/cleanup
tekton-robot
added
the
size/XL
|
/cc @06kellyjac |
|
@wlynch: GitHub didn't allow me to request PR reviews from the following users: 06kellyjac. Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The following is the coverage report on the affected files.
|
|
/release-note-none |
tekton-robot
added
release-note-none
This change makes the entrypoint binary read-only by separating the /tekton/tools directory: - /tekton/bin - Mounted as RW by the place-tools init container, and RO for all user steps. This directory will hold Tekton provided binaries (i.e. entrypoint). - /tekton/run - Named after Linux's /run directory (https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard). This directory will hold Tekton runtime data (i.e. step post/wait files). This is being done as an extra layer of security to prevent any tampering of Tekton provided tools. This is similar in spirit to 89a6233 (making the scripts directory read-only). /tekton/tools was considered an internal directory, so this change is not bound to API compatibility/deprecation policies. This change should have no affect on the user API surface. This change does not try to address any issues with the shared post/wait file volume - this will be handled in another change.
wlynch
force-pushed
the
entrypoint-var-bin
branch
from
7e99b51 to
dd93d52
Compare
|
The following is the coverage report on the affected files.
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: imjasonh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/lgtm Thanks! |
Changes
This change makes the entrypoint binary volume read-only by separating the
/tekton/tools directory:
/tekton/bin- Mounted as RW by the place-tools init container, and ROfor all user steps. This directory will hold Tekton provided binaries (i.e.
entrypoint).
/tekton/run- Named after Linux's /run directory(https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard). This
directory will hold Tekton runtime data (i.e. step post/wait files).
This is being done as an extra layer of security to prevent any tampering
of Tekton provided tools. This is similar in spirit to
89a6233 (making the scripts directory
read-only).
/tekton/tools was considered an internal directory, so this change is not bound to
API compatibility/deprecation policies. This change should have no
affect on the user API surface.
This change does not try to address any issues with the shared post/wait
file volume - this will be handled in another change.
/kind cleanup
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes
/release-note-none
This is an internal-only change.
Part of #4227