Openshift Pipelines Buildah task rootless

buildah-task.yaml

---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: buildah-userns
  labels:
    app.kubernetes.io/version: "0.1"
  annotations:
    tekton.dev/pipelines.minVersion: "0.12.1"
    tekton.dev/tags: image-build
spec:
  description: >-
    Buildah task builds source into a container image and
    then pushes it to a container registry.

    Buildah Task builds source into a container image using Project Atomic's
    Buildah build tool.It uses Buildah's support for building from Dockerfiles,
    using its buildah bud command.This command executes the directives in the
    Dockerfile to assemble a container image, then pushes that image to a
    container registry.

  params:
  - name: IMAGE
    description: Reference of the image buildah will produce.
  - name: BUILDER_IMAGE
    description: The location of the buildah builder image.
    default: registry.redhat.io/rhel8/buildah@sha256:99cae35f40c7ec050fed3765b2b27e0b8bbea2aa2da7c16408e2ca13c60ff8ee
  - name: STORAGE_DRIVER
    description: Set buildah storage driver
    default: vfs
  - name: DOCKERFILE
    description: Path to the Dockerfile to build.
    default: ./Dockerfile
  - name: CONTEXT
    description: Path to the directory to use as context.
    default: .
  - name: TLSVERIFY
    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
    default: "true"
  - name: FORMAT
    description: The format of the built container, oci or docker
    default: "oci"
  - name: BUILD_EXTRA_ARGS
    description: Extra parameters passed for the build command when building images.
    default: ""
  - name: PUSH_EXTRA_ARGS
    description: Extra parameters passed for the push command when pushing images.
    type: string
    default: ""
  workspaces:
  - name: source

  results:
  - name: IMAGE_DIGEST
    description: Digest of the image just built.

  steps:
  - name: build
    securityContext:
      runAsUser: 1000
    image: $(params.BUILDER_IMAGE)
    workingDir: $(workspaces.source.path)
    script: |
      echo "Running as USER ID `id`"
      buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
        $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
        --tls-verify=$(params.TLSVERIFY) --no-cache \
        -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
    volumeMounts:
    - name: varlibcontainers
      mountPath: /home/build/.local/share/containers

  - name: push
    securityContext:
      runAsUser: 1000
    image: $(params.BUILDER_IMAGE)
    workingDir: $(workspaces.source.path)
    script: |
      echo "Running as USER ID `id`"
      buildah --storage-driver=$(params.STORAGE_DRIVER) push \
        $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
        --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \
        docker://$(params.IMAGE)
    volumeMounts:
    - name: varlibcontainers
      mountPath: /home/build/.local/share/containers
      
  - name: digest-to-results
    securityContext:
      runAsUser: 1000
    image: $(params.BUILDER_IMAGE)
    script: cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST

  volumes:
  - name: varlibcontainers
    emptyDir: {}

buildah-taskrun-configmap.yaml

---
apiVersion: v1
data:
  Dockerfile: |
    ARG BASE_IMG=registry.access.redhat.com/ubi8/ubi
    FROM $BASE_IMG AS buildah-runner

    RUN dnf -y update && \
        dnf -y install git && \
        dnf clean all

    CMD git
kind: ConfigMap
metadata:
  name: dockerfile

---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  annotations:
    tekton.dev/categories: Image Build
    tekton.dev/pipelines.minVersion: 0.17.0
    tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
    tekton.dev/tags: image-build
  labels:
    app.kubernetes.io/managed-by: tekton-pipelines
    app.kubernetes.io/version: "0.3"
    tekton.dev/task: buildah
  name: buildah-run
spec:
  params:
  - name: IMAGE
    value: image-registry.openshift-image-registry.svc:5000/test/buildahuser
  taskRef:
    kind: Task
    name: buildah
  workspaces:
  - configMap:
      name: dockerfile
    name: source

scc-runasuser-drop-anyuid.yaml

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"allowHostDirVolumePlugin":false,"allowHostIPC":false,"allowHostNetwork":false,"allowHostPID":false,"allowHostPorts":false,"allowPrivilegeEscalation":true,"allowPrivilegedContainer":false,"allowedCapabilities":null,"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"MustRunAs"},"groups":["system:cluster-admins"],"kind":"SecurityContextConstraints","metadata":{"annotations":{"include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true","include.release.openshift.io/single-node-developer":"true","kubernetes.io/description":"pipelines-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - MustRunAs.","release.openshift.io/create-only":"true"},"name":"pipelines-scc","namespace":"openshift-pipelines","ownerReferences":[{"apiVersion":"operator.tekton.dev/v1alpha1","blockOwnerDeletion":true,"controller":true,"kind":"TektonInstallerSet","name":"pre-pipeline-ml4hz","uid":"33b5abc3-775b-4a69-9836-591e076e0301"}]},"priority":10,"readOnlyRootFilesystem":false,"requiredDropCapabilities":["MKNOD"],"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"MustRunAs"},"supplementalGroups":{"type":"RunAsAny"},"volumes":["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]}
    kubernetes.io/description: pipelines-scc is a close replica of anyuid scc. pipelines-scc
      has fsGroup - MustRunAs.
    release.openshift.io/create-only: "true"
  creationTimestamp: "2022-01-25T05:40:21Z"
  generation: 2
  name: pipelines-scc
  ownerReferences:
  - apiVersion: operator.tekton.dev/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: TektonInstallerSet
    name: pre-pipeline-ml4hz
    uid: 33b5abc3-775b-4a69-9836-591e076e0301
  resourceVersion: "277840"
  uid: 762950ba-270c-4bbe-9981-cf9aa1be9c66
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Hey @chmouel

May thanks for your blog (https://blog.chmouel.com/2022/03/07/running-tasks-as-non-root-on-openshift-pipelines/)

I'm trying to implement it now ;) Is there anything changed since you created this blog or is it still up-to-date?

Greets

I'm trying to get my head around the SCC concept.

I've created:

• extra service account
• a SecurityContextConstraints
• a cluster rolebinding for this SecurityContextConstraints
• a rolebinding for this extra service account and SecurityContextConstraints

I've configured this new service account to be used with the pipelinerun.
I see that every task is running as user 1000 now. And the buildah task seems to work succesfully.

You noted that you could create an extra service account to have privelage elevation when needed (for a specific task). But it seems that buildah works fine under user 1000. So I guess i dont need extra elevation in my case?