Matt Moore
`emptyDir` doesn't require root: ```yaml apiVersion: v1 kind: Pod metadata: name: debug spec: restartPolicy: Never containers: - name: debug image: ghcr.io/distroless/busybox command: ["/bin/sh", "-c"] args: - | touch /tmp/blah/asdf ls...
I do see the following with a GCE PD-backed PVC 🤔 ``` $ kubectl logs debug -f touch: /tmp/blah/asdf: Permission denied total 16 drwx------ 2 root root 16384 Apr 28...
I have a question out to one of the GKE security folks, but in the meantime... Instead of having PVCs create this infectious `root` requirement, another option would be to...
Yeah, I’m definitely on board with avoiding breakages and scrambling. I’m traveling this morning, but this afternoon, I can try to put together a version of distroless/git that uses root...
Ok, I have a couple PRs staged to add `ghcr.io/distroless/git:root` image, and once that lands, I can either PR here to use it, or we can simply roll things back....
Ok we now have: ```yaml # crane config ghcr.io/distroless/git:root | jq . { "architecture": "amd64", "author": "github.com/chainguard-dev/apko", "created": "2022-04-29T19:02:04Z", "history": [ { "author": "apko", "created": "2022-04-29T19:02:04Z", "created_by": "apko", "comment": "This...
Do you want to combine that with the `:root` switch and make this a single cherry-pick?
Every so often this test will fail with: ``` timeout_test.go:102: Error waiting for PipelineRun pipeline-run-timeout-qaakhkfe to finish: "pipeline-run-timeout-qaakhkfe" completed with the wrong reason: Failed ``` The setup is a task...
Generally this means that any PipelineRun specifying a Timeout may simple show up as Failed due to this race. I think that my $0.02 on the appropriate "fix" would be...
Sorry, I should mention that the first bit of yaml is actually a dump from a prior run that I lifted from my older bug that this replaces. So don't...