restricting privileges for buildah bs

shipwright-io · Sep 5, 2023 · 0c6d2f4 · 0c6d2f4
1 parent 4377cb7
commit 0c6d2f4
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 15 deletions.
diff --git a/pkg/reconciler/buildrun/resources/taskrun_test.go b/pkg/reconciler/buildrun/resources/taskrun_test.go
@@ -70,7 +70,7 @@ var _ = Describe("GenerateTaskrun", func() {
 				buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always"
 
 				expectedCommandOrArg = []string{
-					"bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)",
+					"--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)",
 				}
 			})
 

diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml
@@ -138,15 +138,16 @@ spec:
 
           # Building the image
           echo "[INFO] Building image ${image}"
-          buildah bud "${buildArgs[@]}" \
+          buildah --storage-driver=$(params.storage-driver) \
+            bud "${buildArgs[@]}" \
             --registries-conf=/tmp/registries.conf \
             --tag="${image}" \
             --file="${dockerfile}" \
             .
 
           # Write the image
           echo "[INFO] Writing image ${image}"
-          buildah push \
+          buildah --storage-driver=$(params.storage-driver) push \
             "${image}" \
             "oci:${target}"
         # That's the separator between the shell script and its args
@@ -193,6 +194,11 @@ spec:
       defaults:
         - docker.io
         - quay.io
+    - name: storage-driver
+      description: "The storage driver for buildah. Example: `overlay`, `vfs`."
+      type: string
+      default: "vfs"
+      # For details check "--storage-driver value" in https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options
   securityContext:
     runAsUser: 0
     runAsGroup: 0
diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml
@@ -9,7 +9,9 @@ spec:
       image: quay.io/containers/buildah:v1.31.0
       workingDir: $(params.shp-source-root)
       securityContext:
-        privileged: true
+        capabilities:
+          add:
+          - "SETFCAP"
       command:
         - /bin/bash
       args:
@@ -132,19 +134,20 @@ spec:
           registries = [${registriesBlock::-2}]
 
           EOF
-          fi
+          fi 
 
           # Building the image
           echo "[INFO] Building image ${image}"
-          buildah bud "${buildArgs[@]}" \
+          buildah --storage-driver=$(params.storage-driver) \
+            bud "${buildArgs[@]}" \
             --registries-conf=/tmp/registries.conf \
             --tag="${image}" \
             --file="${dockerfile}" \
             .
 
           # Push the image
           echo "[INFO] Pushing image ${image}"
-          buildah push \
+          buildah --storage-driver=$(params.storage-driver) push \
             --digestfile='$(results.shp-image-digest.path)' \
             --tls-verify="${tlsVerify}" \
             "${image}" \
@@ -191,6 +194,11 @@ spec:
       defaults:
         - docker.io
         - quay.io
+    - name: storage-driver
+      description: "The storage driver for buildah. Example: `overlay`, `vfs`"
+      type: string
+      default: "vfs"
+      # For details check "--storage-driver value" in https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options
   securityContext:
     runAsUser: 0
     runAsGroup: 0
diff --git a/test/buildstrategy_samples.go b/test/buildstrategy_samples.go
@@ -21,10 +21,12 @@ spec:
       image: quay.io/containers/buildah:v1.31.0
       workingDir: $(params.shp-source-root)
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - bud
         - --tag=$(params.shp-output-image)
         - --file=$(build.dockerfile)
@@ -42,10 +44,12 @@ spec:
     - name: buildah-push
       image: quay.io/containers/buildah:v1.31.0
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - push
         - --tls-verify=false
         - docker://$(params.shp-output-image)
@@ -79,10 +83,12 @@ spec:
       image: quay.io/containers/buildah:v1.31.0
       workingDir: $(params.shp-source-root)
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - bud
         - --tag=$(params.shp-output-image)
         - --file=$(build.dockerfile)
@@ -107,10 +113,12 @@ spec:
     - name: buildah-push
       image: quay.io/containers/buildah:v1.31.0
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - push
         - --tls-verify=false
         - docker://$(params.shp-output-image)
@@ -149,6 +157,7 @@ spec:
       workingDir: $(params.shp-source-root)
       command:
         - buildah
+        - --storage-driver=$(params.storage-driver)
         - bud
         - --tls-verify=false
         - --layers

diff --git a/test/clusterbuildstrategy_samples.go b/test/clusterbuildstrategy_samples.go
@@ -22,10 +22,12 @@ spec:
       image: quay.io/containers/buildah:v1.31.0
       workingDir: $(params.shp-source-root)
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - bud
         - --tag=$(params.shp-output-image)
         - --file=$(build.dockerfile)
@@ -43,10 +45,12 @@ spec:
     - name: buildah-push
       image: quay.io/containers/buildah:v1.31.0
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - push
         - --tls-verify=false
         - docker://$(params.shp-output-image)
@@ -80,10 +84,12 @@ spec:
       image: quay.io/containers/buildah:v1.31.0
       workingDir: $(params.shp-source-root)
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - bud
         - --tag=$(params.shp-output-image)
         - --file=$(build.dockerfile)
@@ -101,10 +107,12 @@ spec:
     - name: buildah-push
       image: quay.io/containers/buildah:v1.31.0
       securityContext:
-        privileged: true
+        capabilities:
+          add: ["SETFCAP"]
       command:
         - /usr/bin/buildah
       args:
+        - --storage-driver=$(params.storage-driver)
         - push
         - --tls-verify=false
         - docker://$(params.shp-output-image)