Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 11. Building of container images using Buildah as a non-root user
Running OpenShift Pipelines as the root user on a container can expose the container processes and the host to other potentially malicious resources. You can reduce this type of exposure by running the workload as a specific non-root user in the container.
In most cases, you can run Buildah without root privileges by creating a custom task for building the image and configuring user namespaces in this task.
If your image does not build successfully by using this configuration, you can use custom service account (SA) and security context constraint (SCC) definitions. However, with this option, you must enable the Buildah step to raise its privileges (allowPrivilegeEscalation: true).
11.1. Running Buildah as a non-root user by configuring user namespaces
Configuring user namespaces is the simplest way to run Buildah in a task as a non-root user. However, some images might not build using this option.
Prerequisites
-
You have installed the
occommand-line utility.
Procedure
To create a copy of the
buildahtask, which Red Hat provides in theopenshift-pipelinesnamespace, and to change the name of the copy tobuildah-as-user, enter the following command:$ oc get task buildah -n openshift-pipelines -o yaml | yq '. |= (del .metadata |= with_entries(select(.key == "name" )))' | yq '.kind="Task"' | yq '.metadata.name="buildah-as-user"' | oc create -f -Edit the copied
buildahtask by entering the following command:$ oc edit task buildah-as-userIn the new task, create
annotationsandstepTemplatesections, as shown in the following example:Example additions to the
buildah-as-usertaskapiVersion: tekton.dev/v1 kind: Task metadata: annotations: io.kubernetes.cri-o.userns-mode: 'auto:size=65536;map-to-root=true' io.openshift.builder: 'true' name: assemble-containerimage namespace: pipeline-namespace spec: description: This task builds an image. # ... stepTemplate: env: - name: HOME value: /tekton/home image: $(params.builder-image) imagePullPolicy: IfNotPresent name: '' resources: limits: cpu: '1' memory: 4Gi requests: cpu: 100m memory: 2Gi securityContext: capabilities: add: - SETFCAP runAsNonRoot: true runAsUser: 1000 workingDir: $(workspaces.working-directory.path) # ...runAsUser-
The
runAsUser:setting is not strictly necessary, because the task usespodTemplate.
-
Use the new
buildah-as-usertask to build the image in your pipeline.
11.2. Running Buildah as a non-root user by defining a custom SA and SCC
To run builds of container images by using Buildah as a non-root user, you can perform the following steps:
- Define custom service account (SA) and security context constraint (SCC).
-
Configure Buildah to use the
builduser with id1000. - Start a task run with a custom config map, or integrate it with a pipeline run.
11.2.1. Configuring custom service account and security context constraint
The default pipeline SA allows using a user ID outside of the namespace range. To reduce dependency on the default SA, you can define a custom SA and security context constraint (SCC) with the necessary cluster role and role bindings for the build user with user ID 1000.
At this time, Buildah requires enabling the allowPrivilegeEscalation setting to run successfully in the container. With this setting, Buildah can use SETUID and SETGID capabilities when running as a non-root user.
Procedure
Create a custom SA and SCC with necessary cluster role and role bindings.
Example: Custom SA and SCC for used id
1000apiVersion: v1 kind: ServiceAccount metadata: name: pipelines-sa-userid-1000 --- kind: SecurityContextConstraints metadata: annotations: name: pipelines-scc-userid-1000 allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:cluster-admins priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD - KILL runAsUser: type: MustRunAs uid: 1000 seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pipelines-scc-userid-1000-clusterrole rules: - apiGroups: - security.openshift.io resourceNames: - pipelines-scc-userid-1000 resources: - securitycontextconstraints verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pipelines-scc-userid-1000-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pipelines-scc-userid-1000-clusterrole subjects: - kind: ServiceAccount name: pipelines-sa-userid-1000name- Define a custom SA.
SecurityContextConstraints-
Define a custom SCC created based on restricted privileges, with modified
runAsUserfield. allowPrivilegeEscalation-
At this time, Buildah requires enabling the
allowPrivilegeEscalationsetting to run successfully in the container. With this setting, Buildah can useSETUIDandSETGIDcapabilities when running as a non-root user. uid-
Restrict any pod that gets attached with the custom SCC through the custom SA to run as user id
1000. ClusterRole- Define a cluster role that uses the custom SCC.
RoleBinding- Bind the cluster role that uses the custom SCC to the custom SA.
11.2.2. Configuring Buildah to use build user
You can define a Buildah task to use the build user with user id 1000.
Procedure
Create a copy of the
buildahtask in theopenshift-pipelinesnamespace; change the name of the copy tobuildah-as-user.$ oc get task buildah -n openshift-pipelines -o yaml \ | yq '. |= (del .metadata |= with_entries(select(.key == "name" )))' \ | yq '.kind="Task"' | yq '.metadata.name="buildah-as-user"' | oc create -f -Edit the copied
buildahtask.$ oc edit task buildah-as-userExample: Modified Buildah task with
builduserapiVersion: tekton.dev/v1 kind: Task metadata: name: buildah-as-user spec: description: >- Buildah task builds source into a container image and then pushes it to a container registry. Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry. params: - name: IMAGE description: Reference of the image buildah will produce. - name: BUILDER_IMAGE description: The location of the buildah builder image. default: registry.redhat.io/rhel8/buildah@sha256:99cae35f40c7ec050fed3765b2b27e0b8bbea2aa2da7c16408e2ca13c60ff8ee - name: STORAGE_DRIVER description: Set buildah storage driver default: vfs - name: DOCKERFILE description: Path to the Dockerfile to build. default: ./Dockerfile - name: CONTEXT description: Path to the directory to use as context. default: . - name: TLSVERIFY description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) default: "true" - name: FORMAT description: The format of the built container, oci or docker default: "oci" - name: BUILD_EXTRA_ARGS description: Extra parameters passed for the build command when building images. default: "" - description: Extra parameters passed for the push command when pushing images. name: PUSH_EXTRA_ARGS type: string default: "" - description: Skip pushing the built image name: SKIP_PUSH type: string default: "false" results: - description: Digest of the image just built. name: IMAGE_DIGEST type: string workspaces: - name: source steps: - name: build securityContext: runAsUser: 1000 image: $(params.BUILDER_IMAGE) workingDir: $(workspaces.source.path) script: | echo "Running as USER ID `id`" buildah --storage-driver=$(params.STORAGE_DRIVER) bud \ $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \ --tls-verify=$(params.TLSVERIFY) --no-cache \ -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT) [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0 buildah --storage-driver=$(params.STORAGE_DRIVER) push \ $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \ --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \ docker://$(params.IMAGE) cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST volumeMounts: - name: varlibcontainers mountPath: /home/build/.local/share/containers volumes: - name: varlibcontainers emptyDir: {}runAsUser-
Run the container explicitly as the user id
1000, which corresponds to thebuilduser in the Buildah image. echo "Running as USER ID `id`"-
Display the user id to confirm that the process is running as user id
1000. mountPath- You can change the path for the volume mount as necessary.
11.2.3. Starting a task run with custom config map, or a pipeline run
After defining the custom Buildah task, you can create a TaskRun object that builds an image as a build user with user id 1000. In addition, you can integrate the TaskRun object as part of a PipelineRun object.
Procedure
Create a
TaskRunobject with a customConfigMapandDockerfileobjects.Example: A task run that runs Buildah as user id
1000apiVersion: v1 data: Dockerfile: | ARG BASE_IMG=registry.access.redhat.com/ubi9/ubi FROM $BASE_IMG AS buildah-runner RUN dnf -y update && \ dnf -y install git && \ dnf clean all CMD git kind: ConfigMap metadata: name: dockerfile --- apiVersion: tekton.dev/v1 kind: TaskRun metadata: name: buildah-as-user-1000 spec: taskRunTemplate: serviceAccountName: pipelines-sa-userid-1000 params: - name: IMAGE value: image-registry.openshift-image-registry.svc:5000/test/buildahuser taskRef: kind: Task name: buildah-as-user workspaces: - configMap: name: dockerfile name: sourceconfigMapRef.name- Use a config map because the focus is on the task run, without any prior task that fetches some sources with a Dockerfile.
serviceAccountName- The name of the service account that you created.
workspaces.name-
Mount a config map as the source workspace for the
buildah-as-usertask.
(Optional) Create a pipeline and a corresponding pipeline run.
Example: A pipeline and corresponding pipeline run
apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: pipeline-buildah-as-user-1000 spec: params: - name: IMAGE - name: URL workspaces: - name: shared-workspace - name: sslcertdir optional: true tasks: - name: fetch-repository taskRef: resolver: cluster params: - name: kind value: task - name: name value: git-clone - name: namespace value: openshift-pipelines workspaces: - name: output workspace: shared-workspace params: - name: URL value: $(params.URL) - name: SUBDIRECTORY value: "" - name: DELETE_EXISTING value: "true" - name: buildah taskRef: name: buildah-as-user runAfter: - fetch-repository workspaces: - name: source workspace: shared-workspace - name: sslcertdir workspace: sslcertdir params: - name: IMAGE value: $(params.IMAGE) --- apiVersion: tekton.dev/v1 kind: PipelineRun metadata: name: pipelinerun-buildah-as-user-1000 spec: taskRunSpecs: - pipelineTaskName: buildah taskServiceAccountName: pipelines-sa-userid-1000 params: - name: URL value: https://github.com/openshift/pipelines-vote-api - name: IMAGE value: image-registry.openshift-image-registry.svc:5000/test/buildahuser pipelineRef: name: pipeline-buildah-as-user-1000 workspaces: - name: shared-workspace volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Mitasks.name: fetch-repository-
Use the
git-clonetask to fetch the source containing a Dockerfile and build it using the modified Buildah task. taskRef.name- Refer to the modified Buildah task.
taskServiceAccountName- Use the service account that you created for the Buildah task.
workspaces.name: shared-workspace-
Share data between the
git-clonetask and the modified Buildah task by using a persistent volume claim (PVC) created automatically by the controller.
- Start the task run or the pipeline run.
11.3. Limitations of unprivileged builds
The process for unprivileged builds works with most Dockerfile objects. However, there are some known limitations might cause a build to fail:
-
Using the
--mount=type=cacheoption might fail due to lack of necessary permissions issues. For more information, see this article. -
Using the
--mount=type=secretoption fails because mounting resources requires additional capabilities that are not provided by the custom SCC.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}