Containerfile

ARG BASE_IMG=registry.access.redhat.com/ubi8/ubi
FROM $BASE_IMG AS buildah-runner

RUN useradd buildah; echo buildah:10000:5000 > /etc/subuid; echo buildah:10000:5000 > /etc/subgid;

# https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md
# https://github.com/containers/buildah/blob/master/contrib/buildahimage/stable/Dockerfile
# https://github.com/containers/buildah/issues/1011
# https://github.com/containers/buildah/issues/3053

RUN dnf -y update && \
    dnf -y install xz slirp4netns buildah podman fuse-overlayfs shadow-utils --exclude container-selinux && \
    dnf -y reinstall shadow-utils && \
    dnf clean all

RUN chgrp -R 0 /etc/containers/ && \
    chmod -R a+r /etc/containers/ && \
    chmod -R g+w /etc/containers/ && \
    chmod -R g+w /etc/passwd

ENV BUILDAH_ISOLATION=chroot
ENV BUILDAH_LAYERS=true

ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahimage/stable/containers.conf /etc/containers/

RUN chgrp -R 0 /etc/containers/ && \
    chmod -R a+r /etc/containers/ && \
    chmod -R g+w /etc/containers/

RUN mv /usr/bin/buildah /usr/bin/buildah.orig
ADD subwrapper.sh /usr/bin/buildah

USER buildah
WORKDIR /home/buildah
CMD /usr/bin/buildah

pod.yaml

---
apiVersion: v1
kind: Pod
metadata:
  name: buildah-userns-test
  annotations:
    io.kubernetes.cri-o.userns-mode: "auto"
    io.openshift.builder: "true"
spec:
  serviceAccountName: pipelines2
  containers:
    - name: userns-test
      # image: quay.io/buildah/stable:v1.21.0
      image: quay.io/chmouel/chmoudah:latest
      command: ["/bin/sh", "-c", "id;c=$(buildah --storage-driver=vfs from alpine);buildah --storage-driver=vfs run ${c} /bin/sh -c 'apk update;apk add git';buildah --storage-driver=vfs commit ${c} image-registry.openshift-image-registry.svc:5000/test/buildahuser;sleep 6666666"]

rbinding.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pipelines2
  namespace: test
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pipeline2-role
  namespace: test
rules:
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineruns", "taskruns"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-scc-rolebinding
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pipeline2-role
subjects:
- kind: ServiceAccount
  name: pipeline2
  namespace: test

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pipelines2-registry-editor
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: registry-editor
subjects:
- kind: ServiceAccount
  name: pipelines2
  namespace: test

subwrapper.sh

#!/usr/bin/env bash
set -euxf

if ! whoami &> /dev/null; then
  if [ -w /etc/passwd ]; then
    sed "/${USER_NAME:-buildah}/d" /etc/passwd > /tmp/.tmp.$$
    cat /tmp/.tmp.$$ > /etc/passwd
    echo "${USER_NAME:-buildah}:x:$(id -u):$(id -g):${USER_NAME:-buildah} user:/home/buildah:/bin/bash" >> /etc/passwd
  fi
fi

exec buildah.orig "$@"