build
build copied to clipboard
shipwright-io
Add securityContext of ReadOnlyRootFilesystem to steps
Changes
Explicitly set readOnlyRootFilesystem to true for taskruns according to security best practice.
Submitter Checklist
- [x] Includes tests if functionality changed/was added
- [ ] Includes docs if changes are user-facing
- [ ] Set a kind label on this PR
- [x] Release notes block has been filled in, or marked NONE
See the contributor guide for details on coding conventions, github and prow interactions, and the code review process.
Release Notes
NONE
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign apoorvajagtap for approval. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@hasanawad94: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/retest
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@sayan-biswas: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/ok-to-test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
Thanks for the review @SaschaSchwarze0 ! I'm currently making the directories configurable through environment variables to ensure the solution is both flexible and easy to configure.
Regarding the /shared-home directory it conflicts with the new security settings, so I'm considering redirecting HOME to a writable location to resolve that issue.
As for the build strategies, I'm still evaluating the best approach there.
@SaschaSchwarze0 Could you please take a look at the current progress? I’m still in the process of verifying that redirecting /shared-home to a volume doesn’t cause any regressions.
Here’s a summary of the changes made so far:
- Image Processing (Trivy): Trivy was previously writing its cache and temporary files to the root filesystem. This has been redirected to a mounted volume.
- Waiter Container: It was writing a lockfile to the root filesystem. This has now been reconfigured to write to a volume.
- Git Container: Writes to /tmp have been redirected to a volume instead of the root filesystem.
- Bundle Container: It was using the root filesystem in its configured working directory. This too has been redirected to use a volume.
Made minimal changes to match the requirements and to make the review easier. @SaschaSchwarze0 would you kindly have a look now. I have removed the /shared-home directory after making the Home directory configurable to a writable volume that also has .ssh and .docker as like it was for the /shared-home on the rootfs.
@SaschaSchwarze0 tests are a bit flaky here since they were passing before modifying the commit message
Hey @SaschaSchwarze0 I did a manual testing of using a git private key with buildah strategy using managed push with the changes and the buildrun was successful.
@SaschaSchwarze0 You think we can get this into v0.17 as a better security practice ? Summary of changes :
- Home directory volume has been added to each container (not shared)
- Volume for trivy to work with
- Volumes for buildstrategies to use instead of writing to the rootfs (tmp,home)
@SaschaSchwarze0 I want to break this pr into smaller parts to make the review easier