Skip to content

Instantly share code, notes, and snippets.

@chmouel
Last active Feb 23, 2022
Embed
What would you like to do?
Openshift Pipelines Buildah task rootless
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: buildah-userns
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: image-build
spec:
description: >-
Buildah task builds source into a container image and
then pushes it to a container registry.
Buildah Task builds source into a container image using Project Atomic's
Buildah build tool.It uses Buildah's support for building from Dockerfiles,
using its buildah bud command.This command executes the directives in the
Dockerfile to assemble a container image, then pushes that image to a
container registry.
params:
- name: IMAGE
description: Reference of the image buildah will produce.
- name: BUILDER_IMAGE
description: The location of the buildah builder image.
default: registry.redhat.io/rhel8/buildah@sha256:99cae35f40c7ec050fed3765b2b27e0b8bbea2aa2da7c16408e2ca13c60ff8ee
- name: STORAGE_DRIVER
description: Set buildah storage driver
default: vfs
- name: DOCKERFILE
description: Path to the Dockerfile to build.
default: ./Dockerfile
- name: CONTEXT
description: Path to the directory to use as context.
default: .
- name: TLSVERIFY
description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
default: "true"
- name: FORMAT
description: The format of the built container, oci or docker
default: "oci"
- name: BUILD_EXTRA_ARGS
description: Extra parameters passed for the build command when building images.
default: ""
- name: PUSH_EXTRA_ARGS
description: Extra parameters passed for the push command when pushing images.
type: string
default: ""
workspaces:
- name: source
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
steps:
- name: build
securityContext:
runAsUser: 1000
image: $(params.BUILDER_IMAGE)
workingDir: $(workspaces.source.path)
script: |
echo "Running as USER ID `id`"
buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
$(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
--tls-verify=$(params.TLSVERIFY) --no-cache \
-f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
volumeMounts:
- name: varlibcontainers
mountPath: /home/build/.local/share/containers
- name: push
securityContext:
runAsUser: 1000
image: $(params.BUILDER_IMAGE)
workingDir: $(workspaces.source.path)
script: |
echo "Running as USER ID `id`"
buildah --storage-driver=$(params.STORAGE_DRIVER) push \
$(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
--digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \
docker://$(params.IMAGE)
volumeMounts:
- name: varlibcontainers
mountPath: /home/build/.local/share/containers
- name: digest-to-results
securityContext:
runAsUser: 1000
image: $(params.BUILDER_IMAGE)
script: cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumes:
- name: varlibcontainers
emptyDir: {}
---
apiVersion: v1
data:
Dockerfile: |
ARG BASE_IMG=registry.access.redhat.com/ubi8/ubi
FROM $BASE_IMG AS buildah-runner
RUN dnf -y update && \
dnf -y install git && \
dnf clean all
CMD git
kind: ConfigMap
metadata:
name: dockerfile
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: 0.17.0
tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
tekton.dev/tags: image-build
labels:
app.kubernetes.io/managed-by: tekton-pipelines
app.kubernetes.io/version: "0.3"
tekton.dev/task: buildah
name: buildah-run
spec:
params:
- name: IMAGE
value: image-registry.openshift-image-registry.svc:5000/test/buildahuser
taskRef:
kind: Task
name: buildah
workspaces:
- configMap:
name: dockerfile
name: source
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubectl.kubernetes.io/last-applied-configuration: |
{"allowHostDirVolumePlugin":false,"allowHostIPC":false,"allowHostNetwork":false,"allowHostPID":false,"allowHostPorts":false,"allowPrivilegeEscalation":true,"allowPrivilegedContainer":false,"allowedCapabilities":null,"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"MustRunAs"},"groups":["system:cluster-admins"],"kind":"SecurityContextConstraints","metadata":{"annotations":{"include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true","include.release.openshift.io/single-node-developer":"true","kubernetes.io/description":"pipelines-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - MustRunAs.","release.openshift.io/create-only":"true"},"name":"pipelines-scc","namespace":"openshift-pipelines","ownerReferences":[{"apiVersion":"operator.tekton.dev/v1alpha1","blockOwnerDeletion":true,"controller":true,"kind":"TektonInstallerSet","name":"pre-pipeline-ml4hz","uid":"33b5abc3-775b-4a69-9836-591e076e0301"}]},"priority":10,"readOnlyRootFilesystem":false,"requiredDropCapabilities":["MKNOD"],"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"MustRunAs"},"supplementalGroups":{"type":"RunAsAny"},"volumes":["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]}
kubernetes.io/description: pipelines-scc is a close replica of anyuid scc. pipelines-scc
has fsGroup - MustRunAs.
release.openshift.io/create-only: "true"
creationTimestamp: "2022-01-25T05:40:21Z"
generation: 2
name: pipelines-scc
ownerReferences:
- apiVersion: operator.tekton.dev/v1alpha1
blockOwnerDeletion: true
controller: true
kind: TektonInstallerSet
name: pre-pipeline-ml4hz
uid: 33b5abc3-775b-4a69-9836-591e076e0301
resourceVersion: "277840"
uid: 762950ba-270c-4bbe-9981-cf9aa1be9c66
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: MustRunAs
uid: 1000
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment