From ee374aa68e6caa1b14c33bebdaa966b11657de98 Mon Sep 17 00:00:00 2001 From: apoorvajagtap Date: Fri, 1 Sep 2023 10:07:02 +0530 Subject: [PATCH] restricting privileges for buildah bs --- .../buildrun/resources/taskrun_test.go | 8 ++++---- ...tegy_buildah_shipwright_managed_push_cr.yaml | 10 ++++++++-- ...rategy_buildah_strategy_managed_push_cr.yaml | 14 +++++++++++--- test/buildstrategy_samples.go | 17 +++++++++++++---- test/clusterbuildstrategy_samples.go | 16 ++++++++++++---- 5 files changed, 48 insertions(+), 17 deletions(-) diff --git a/pkg/reconciler/buildrun/resources/taskrun_test.go b/pkg/reconciler/buildrun/resources/taskrun_test.go index 954b3793a2..ea5c5cb20c 100644 --- a/pkg/reconciler/buildrun/resources/taskrun_test.go +++ b/pkg/reconciler/buildrun/resources/taskrun_test.go @@ -70,7 +70,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } }) @@ -250,7 +250,7 @@ var _ = Describe("GenerateTaskrun", func() { Expect(err).To(BeNil()) expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } }) @@ -326,7 +326,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } JustBeforeEach(func() { @@ -367,7 +367,7 @@ var _ = Describe("GenerateTaskrun", func() { buildStrategy.Spec.BuildSteps[0].ImagePullPolicy = "Always" expectedCommandOrArg = []string{ - "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", + "--storage-driver=$(params.storage-driver)", "bud", "--tag=$(params.shp-output-image)", fmt.Sprintf("--file=$(inputs.params.%s)", "DOCKERFILE"), "$(params.shp-source-context)", } JustBeforeEach(func() { diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml index 5d49e1d9d5..e3897fbfea 100644 --- a/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml +++ b/samples/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml @@ -138,7 +138,8 @@ spec: # Building the image echo "[INFO] Building image ${image}" - buildah bud "${buildArgs[@]}" \ + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ --registries-conf=/tmp/registries.conf \ --tag="${image}" \ --file="${dockerfile}" \ @@ -146,7 +147,7 @@ spec: # Write the image echo "[INFO] Writing image ${image}" - buildah push \ + buildah --storage-driver=$(params.storage-driver) push \ "${image}" \ "oci:${target}" # That's the separator between the shell script and its args @@ -193,6 +194,11 @@ spec: defaults: - docker.io - quay.io + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'." + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options securityContext: runAsUser: 0 runAsGroup: 0 diff --git a/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml b/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml index 098d60b1f6..834838df12 100644 --- a/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml +++ b/samples/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml @@ -9,7 +9,9 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: + - "SETFCAP" command: - /bin/bash args: @@ -136,7 +138,8 @@ spec: # Building the image echo "[INFO] Building image ${image}" - buildah bud "${buildArgs[@]}" \ + buildah --storage-driver=$(params.storage-driver) \ + bud "${buildArgs[@]}" \ --registries-conf=/tmp/registries.conf \ --tag="${image}" \ --file="${dockerfile}" \ @@ -144,7 +147,7 @@ spec: # Push the image echo "[INFO] Pushing image ${image}" - buildah push \ + buildah --storage-driver=$(params.storage-driver) push \ --digestfile='$(results.shp-image-digest.path)' \ --tls-verify="${tlsVerify}" \ "${image}" \ @@ -191,6 +194,11 @@ spec: defaults: - docker.io - quay.io + - name: storage-driver + description: "The storage driver to use, such as 'overlay' or 'vfs'" + type: string + default: "vfs" + # For details see the "--storage-driver" section of https://github.com/containers/buildah/blob/main/docs/buildah.1.md#options securityContext: runAsUser: 0 runAsGroup: 0 diff --git a/test/buildstrategy_samples.go b/test/buildstrategy_samples.go index 8446c4b643..b67379cbdb 100644 --- a/test/buildstrategy_samples.go +++ b/test/buildstrategy_samples.go @@ -21,10 +21,12 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -42,10 +44,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image) @@ -79,10 +83,12 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -107,10 +113,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image) @@ -149,6 +157,7 @@ spec: workingDir: $(params.shp-source-root) command: - buildah + - --storage-driver=$(params.storage-driver) - bud - --tls-verify=false - --layers diff --git a/test/clusterbuildstrategy_samples.go b/test/clusterbuildstrategy_samples.go index c76eac43c0..5341427b01 100644 --- a/test/clusterbuildstrategy_samples.go +++ b/test/clusterbuildstrategy_samples.go @@ -22,10 +22,12 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -43,10 +45,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image) @@ -80,10 +84,12 @@ spec: image: quay.io/containers/buildah:v1.31.0 workingDir: $(params.shp-source-root) securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - bud - --tag=$(params.shp-output-image) - --file=$(build.dockerfile) @@ -101,10 +107,12 @@ spec: - name: buildah-push image: quay.io/containers/buildah:v1.31.0 securityContext: - privileged: true + capabilities: + add: ["SETFCAP"] command: - /usr/bin/buildah args: + - --storage-driver=$(params.storage-driver) - push - --tls-verify=false - docker://$(params.shp-output-image)