From 74b8dad12284d76071644031888ff09231c012ab Mon Sep 17 00:00:00 2001 From: apoorvajagtap Date: Fri, 1 Sep 2023 10:07:02 +0530 Subject: [PATCH] restricting privileges for buildah bs --- .../buildrun/resources/taskrun_test.go | 6 ++--- ...gy_buildah_shipwright_managed_push_cr.yaml | 10 +++++-- ...tegy_buildah_strategy_managed_push_cr.yaml | 14 +++++++--- test/buildstrategy_samples.go | 25 +++++++++++++++--- test/clusterbuildstrategy_samples.go | 26 ++++++++++++++++--- 5 files changed, 65 insertions(+), 16 deletions(-) diff --git a/pkg/reconciler/buildrun/resources/taskrun_test.go b/pkg/reconciler/buildrun/resources/taskrun_test.go index 954b3793a2..fb4320d80b 100644 --- a/pkg/reconciler/buildrun/resources/taskrun_test.go +++ b/pkg/reconciler/buildrun/resources/taskrun_test.go @@ -70,7 +70,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } }) @@ -326,7 +326,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } JustBeforeEach(func() { @@ -367,7 +367,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } JustBeforeEach(func() { diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml index 5d49e1d9d5..e3897fbfea 100644 --- a/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml +++ b/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml @@ -138,7 +138,8 @@ spec: # Building the image echo "[INFO] Building image ${image}" - buildah bud "${buildArgs[@]}" \ + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ --registries-conf=/tmp/registries.conf \ --tag="${image}" \ --file="${dockerfile}" \ @@ -146,7 +147,7 @@ spec: # Write the image echo "[INFO] Writing image ${image}" - buildah push \ + buildah --storage-driver=$(params.storage-driver) push \ "${image}" \ "oci:${target}" # That's the separator between the shell script and its args @@ -193,6 +194,11 @@ spec: defaults: - docker.io - quay.io + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'." + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options securityContext: runAsUser: 0 runAsGroup: 0 diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml index 098d60b1f6..834838df12 100644 --- a/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml +++ b/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml @@ -9,7 +9,9 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: + - "SETFCAP" command: - /bin/bash args: @@ -136,7 +138,8 @@ spec: # Building the image echo "[INFO] Building image ${image}" - buildah bud "${buildArgs[@]}" \ + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ --registries-conf=/tmp/registries.conf \ --tag="${image}" \ --file="${dockerfile}" \ @@ -144,7 +147,7 @@ spec: # Push the image echo "[INFO] Pushing image ${image}" - buildah push \ + buildah --storage-driver=$(params.storage-driver) push \ --digestfile='$(results.shp-image-digest.path)' \ --tls-verify="${tlsVerify}" \ "${image}" \ @@ -191,6 +194,11 @@ spec: defaults: - docker.io - quay.io + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options securityContext: runAsUser: 0 runAsGroup: 0 diff --git a/test/buildstrategy_samples.go b/test/buildstrategy_samples.go index 8446c4b643..d8cfc8138e 100644 --- a/test/buildstrategy_samples.go +++ b/test/buildstrategy_samples.go @@ -21,7 +21,8 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: @@ -42,7 +43,8 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: @@ -74,15 +76,22 @@ spec: volumes: - name: buildah-images emptyDir: {} + parameters: + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" buildSteps: - name: buildah-bud image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -107,10 +116,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image) @@ -143,12 +154,18 @@ spec: volumes: - name: varlibcontainers emptyDir: {} + parameters: + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" buildSteps: - name: build image: "$(build.builder.image)" workingDir: $(params.shp-source-root) command: - buildah + - --storage-driver=$(params.storage-driver) - bud - --tls-verify=false - --layers diff --git a/test/clusterbuildstrategy_samples.go b/test/clusterbuildstrategy_samples.go index c76eac43c0..f028b1108c 100644 --- a/test/clusterbuildstrategy_samples.go +++ b/test/clusterbuildstrategy_samples.go @@ -17,15 +17,22 @@ spec: - name: buildah-images volumeSource: emptyDir: {} + parameters: + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" buildSteps: - name: buildah-bud image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -43,10 +50,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image) @@ -75,15 +84,22 @@ spec: - name: buildah-images volumeSource: emptyDir: {} + parameters: + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" buildSteps: - name: buildah-bud image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -101,10 +117,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image)