Skip to content

Commit

Permalink
restricting privileges for buildah bs
Browse files Browse the repository at this point in the history
  • Loading branch information
apoorvajagtap committed Sep 12, 2023
1 parent c79ec2e commit f636a0d
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 14 deletions.
2 changes: 1 addition & 1 deletion pkg/reconciler/buildrun/resources/taskrun_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,7 @@ var _ = Describe("GenerateTaskrun", func() {
Expect(err).To(BeNil())

expectedCommandOrArg = []string{
"bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)",
"--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)",
}
})

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,15 +138,16 @@ spec:
# Building the image
echo "[INFO] Building image ${image}"
buildah bud "${buildArgs[@]}" \
buildah --storage-driver=$(params.storage-driver) \
bud "${buildArgs[@]}" \
--registries-conf=/tmp/registries.conf \
--tag="${image}" \
--file="${dockerfile}" \
.
# Write the image
echo "[INFO] Writing image ${image}"
buildah push \
buildah --storage-driver=$(params.storage-driver) push \
"${image}" \
"oci:${target}"
# That's the separator between the shell script and its args
Expand Down Expand Up @@ -193,6 +194,11 @@ spec:
defaults:
- docker.io
- quay.io
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'."
type: string
default: "vfs"
# For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options
securityContext:
runAsUser: 0
runAsGroup: 0
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ spec:
image: quay.io/containers/buildah:v1.31.0
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
capabilities:
add:
- "SETFCAP"
command:
- /bin/bash
args:
Expand Down Expand Up @@ -136,15 +138,16 @@ spec:
# Building the image
echo "[INFO] Building image ${image}"
buildah bud "${buildArgs[@]}" \
buildah --storage-driver=$(params.storage-driver) \
bud "${buildArgs[@]}" \
--registries-conf=/tmp/registries.conf \
--tag="${image}" \
--file="${dockerfile}" \
.
# Push the image
echo "[INFO] Pushing image ${image}"
buildah push \
buildah --storage-driver=$(params.storage-driver) push \
--digestfile='$(results.shp-image-digest.path)' \
--tls-verify="${tlsVerify}" \
"${image}" \
Expand Down Expand Up @@ -191,6 +194,11 @@ spec:
defaults:
- docker.io
- quay.io
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'"
type: string
default: "vfs"
# For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options
securityContext:
runAsUser: 0
runAsGroup: 0
25 changes: 21 additions & 4 deletions test/buildstrategy_samples.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ spec:
image: quay.io/containers/buildah:v1.31.0
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
Expand All @@ -42,7 +43,8 @@ spec:
- name: buildah-push
image: quay.io/containers/buildah:v1.31.0
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
Expand Down Expand Up @@ -74,15 +76,22 @@ spec:
volumes:
- name: buildah-images
emptyDir: {}
parameters:
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'"
type: string
default: "vfs"
buildSteps:
- name: buildah-bud
image: quay.io/containers/buildah:v1.31.0
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- bud
- --tag=$(params.shp-output-image)
- --file=$(build.dockerfile)
Expand All @@ -107,10 +116,12 @@ spec:
- name: buildah-push
image: quay.io/containers/buildah:v1.31.0
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- push
- --tls-verify=false
- docker://$(params.shp-output-image)
Expand Down Expand Up @@ -143,12 +154,18 @@ spec:
volumes:
- name: varlibcontainers
emptyDir: {}
parameters:
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'"
type: string
default: "vfs"
buildSteps:
- name: build
image: "$(build.builder.image)"
workingDir: $(params.shp-source-root)
command:
- buildah
- --storage-driver=$(params.storage-driver)
- bud
- --tls-verify=false
- --layers
Expand Down
26 changes: 22 additions & 4 deletions test/clusterbuildstrategy_samples.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,22 @@ spec:
- name: buildah-images
volumeSource:
emptyDir: {}
parameters:
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'"
type: string
default: "vfs"
buildSteps:
- name: buildah-bud
image: quay.io/containers/buildah:v1.31.0
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- bud
- --tag=$(params.shp-output-image)
- --file=$(build.dockerfile)
Expand All @@ -43,10 +50,12 @@ spec:
- name: buildah-push
image: quay.io/containers/buildah:v1.31.0
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- push
- --tls-verify=false
- docker://$(params.shp-output-image)
Expand Down Expand Up @@ -75,15 +84,22 @@ spec:
- name: buildah-images
volumeSource:
emptyDir: {}
parameters:
- name: storage-driver
description: "The storage driver to use, such as 'overlay' or 'vfs'"
type: string
default: "vfs"
buildSteps:
- name: buildah-bud
image: quay.io/containers/buildah:v1.31.0
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- bud
- --tag=$(params.shp-output-image)
- --file=$(build.dockerfile)
Expand All @@ -101,10 +117,12 @@ spec:
- name: buildah-push
image: quay.io/containers/buildah:v1.31.0
securityContext:
privileged: true
capabilities:
add: ["SETFCAP"]
command:
- /usr/bin/buildah
args:
- --storage-driver=$(params.storage-driver)
- push
- --tls-verify=false
- docker://$(params.shp-output-image)
Expand Down

0 comments on commit f636a0d

Please sign in to comment.