Skip to content

Add securityContext of ReadOnlyRootFilesystem to steps #1885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add securityContext of ReadOnlyRootFilesystem to steps #1885

wants to merge 1 commit into from
+115 −19

Conversation

hasanawad94
Copy link
Contributor

@hasanawad94 hasanawad94 commented May 13, 2025
edited
Loading

Changes

Explicitly set readOnlyRootFilesystem to true for taskruns according to security best practice.

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Set the securityContext configuration for the Git, Waiter, Bundle, and ImageProcessing containers to set readOnlyRootFilesystem: true

@openshift-ci openshift-ci bot added the release-note Label for when a PR has specified a release note label May 13, 2025
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label May 13, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 13, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign apoorvajagtap for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hasanawad94
Copy link
Contributor Author

Fixing tests after adding the default value

@hasanawad94
Copy link
Contributor Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 13, 2025

@hasanawad94: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sayan-biswas
Copy link

/ok-to-test

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 13, 2025

@sayan-biswas: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hasanawad94 hasanawad94 force-pushed the mount-security-context branch 2 times, most recently from 0ae6b68 to e9878b0 Compare May 15, 2025 13:16
@pull-request-size pull-request-size bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 15, 2025
SaschaSchwarze0
SaschaSchwarze0 reviewed May 16, 2025
View reviewed changes
@hasanawad94 hasanawad94 force-pushed the mount-security-context branch 2 times, most recently from fefbd3e to ecd8d58 Compare May 18, 2025 11:48
@pull-request-size pull-request-size bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 18, 2025
@hasanawad94 hasanawad94 force-pushed the mount-security-context branch from ecd8d58 to e411479 Compare May 18, 2025 14:54
@pull-request-size pull-request-size bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 18, 2025
@hasanawad94
Copy link
Contributor Author

Currently working on Image processing part

@hasanawad94 hasanawad94 force-pushed the mount-security-context branch 6 times, most recently from 67357d6 to 5c69e96 Compare May 20, 2025 09:30
@hasanawad94 hasanawad94 changed the title add securityContext of ReadOnlyRootFilesystem to steps Add securityContext of ReadOnlyRootFilesystem to steps May 20, 2025
@hasanawad94 hasanawad94 force-pushed the mount-security-context branch 22 times, most recently from 0b8da9d to fc9ee62 Compare June 21, 2025 10:02
@hasanawad94 hasanawad94 force-pushed the mount-security-context branch from fc9ee62 to c229842 Compare June 26, 2025 11:54
@hasanawad94
Copy link
Contributor Author

Hey @SaschaSchwarze0 I did a manual testing of using a git private key with buildah strategy using managed push with the changes and the buildrun was successful.

SaschaSchwarze0
SaschaSchwarze0 reviewed Jul 6, 2025
View reviewed changes
pkg/reconciler/buildrun/resources/sources/utils.go Outdated
ensureEnvVar(targetStep, "HOME", homeDir)

// Volume for the base /shared-home directory
baseHomeVolumeName := "base-home-volume"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All (volume) names that we add should start with shp- to prevent an overlap with strategy-specified names.

images/base/Dockerfile Outdated
@@ -8,9 +8,10 @@ RUN \
microdnf clean all && \
rm -rf /var/cache/yum && \
# The following setup is necessary so that this image can run as any user
mkdir -p /shared-home/.docker /shared-home/.ssh && chmod -R 0777 /shared-home && \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is a problem. Needs to be discussed. We today build base images only from main but use them also for release-v0.16 builds. This would break them.

docs/configuration.md Outdated
@@ -37,6 +37,7 @@ The following environment variables are available:
| `KUBE_API_BURST` | Burst to use for the Kubernetes API client. See [Config.Burst]. A value of 0 or lower will use the default from client-go, which currently is 10. Default is 0. |
| `KUBE_API_QPS` | QPS to use for the Kubernetes API client. See [Config.QPS]. A value of 0 or lower will use the default from client-go, which currently is 5. Default is 0. |
| `VULNERABILITY_COUNT_LIMIT` | holds vulnerability count limit if vulnerability scan is enabled for the output image. If it is defined as 10, then it will output only 10 vulnerabilities sorted by severity in the buildrun status.Output. Default is 50. |
| `WRITABLE_HOME_DIR` | Specifies the path to be used as the writable home directory (HOME) for containers. By setting this environment variable, the controller will automatically mount a writable `emptyDir` volume at the specified path, which will then be used as the HOME directory for build steps. This is useful for scenarios where a writable HOME is required, such as when tools or processes need to write to the home directory. If you set `WRITABLE_HOME_DIR` to a custom path (e.g., `/my-writable-home`), ensure that this path is not used for other purposes in your container. Default is `/shared-home`. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like it would be mounted to all containers, but I am not seeing it mounted to the strategy steps, or have I missed that?

pkg/reconciler/buildrun/resources/sources/utils.go Outdated
Comment on lines 150 to 174
// Volume for /shared-home/.docker
dockerVolumeName := "docker-config-volume"
ensureVolume(taskSpec, corev1.Volume{
Name: dockerVolumeName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
})
ensureVolumeMount(targetStep, corev1.VolumeMount{
Name: dockerVolumeName,
MountPath: filepath.Join(homeDir, ".docker"),
})

// Volume for /shared-home/.ssh
sshVolumeName := "ssh-keys-volume"
ensureVolume(taskSpec, corev1.Volume{
Name: sshVolumeName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
})
ensureVolumeMount(targetStep, corev1.VolumeMount{
Name: sshVolumeName,
MountPath: filepath.Join(homeDir, ".ssh"),
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments:

  1. Do we still need this ? If we now have a configurable writable HOME dir, then we do we need other empty dirs inside them ? Omitting them would mean that we do not have them present at container start and the logic that needs them would have to make sure that they exist.
  2. I am not sure if we want them shared. Today, every container runs independently without such a shared emptyDir. The docker config is today still created by Tektons creds-init logic. It is a known issue (causing a warning) that when step 1 runs as user A but step 2 as user B, that there are permission issues if this directory is shared. Would probably be a rare issue since we run our own steps as the same user of the strategy when spec.securityContext was introduced. For Git SSH, it would actually mean that we put a private key on disk which is then unnecessarily visible also for the image processing step at least.

@hasanawad94 hasanawad94 force-pushed the mount-security-context branch from c229842 to 761ce91 Compare July 7, 2025 08:28
@hasanawad94
Add ReadOnlyRootFilesystem securityContext to build steps
091bcf9 
Set the root filesystem to read-only for all build-related
containers as a security best practice.

To support this, steps that require write access now explicitly mount
`emptyDir` volumes for paths like `/tmp`.

A new `AppendWriteableVolumes` function centralizes the setup for volume
mounting , using idempotent helpers (`ensureVolume`, `ensureVolumeMount`)
to prevent duplicate entries.

The Trivy cache directory for vulnerability scanning can be configured using
`TRIVY_CACHE_DIR`.

Signed-off-by: Hasan Awad <[email protected]>
@hasanawad94 hasanawad94 force-pushed the mount-security-context branch from 761ce91 to 091bcf9 Compare July 7, 2025 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SaschaSchwarze0 SaschaSchwarze0 SaschaSchwarze0 requested changes

@HeavyWombat HeavyWombat Awaiting requested review from HeavyWombat

@adambkaplan adambkaplan Awaiting requested review from adambkaplan

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note Label for when a PR has specified a release note size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Shipwright Overview
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hasanawad94 @sayan-biswas @SaschaSchwarze0