Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Securing OpenShift Pipelines

Red Hat OpenShift Pipelines 1.10

Security features of OpenShift Pipelines

Red Hat OpenShift Documentation Team

Abstract

This document provides information about security features of OpenShift Pipelines.
Important

Tekton Chains is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller. You can use it to manage the supply chain security of the tasks and pipelines created using Red Hat OpenShift Pipelines.

By default, Tekton Chains observes all task run executions in your OpenShift Container Platform cluster. When the task runs complete, Tekton Chains takes a snapshot of the task runs. It then converts the snapshot to one or more standard payload formats, and finally signs and stores all artifacts.

To capture information about task runs, Tekton Chains uses the Result and PipelineResource objects. When the objects are unavailable, Tekton Chains the URLs and qualified digests of the OCI images.

Note

The PipelineResource object is deprecated and will be removed in a future release; for manual use, the Results object is recommended.

1.1. Key features
Copy link

  • You can sign task runs, task run results, and OCI registry images with cryptographic keys that are generated by tools such as cosign.
  • You can use attestation formats such as in-toto.
  • You can securely store signatures and signed artifacts using OCI repository as a storage backend.

Cluster administrators can use the TektonChain custom resource (CR) to install and manage Tekton Chains.

Note

Tekton Chains is an optional component of Red Hat OpenShift Pipelines. Currently, you cannot install it using the TektonConfig CR.

Prerequisites

  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the openshift-pipelines namespace on your cluster.

Procedure

  1. Create the TektonChain CR for your Red Hat OpenShift Pipelines cluster. 

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonChain
metadata:
  name: chain
spec:
  targetNamespace: openshift-pipelines
    Copy to Clipboard Toggle word wrap

  2. Apply the TektonChain CR. 

    $ oc apply -f TektonChain.yaml
    1
    Copy to Clipboard Toggle word wrap
    1
    Substitute with the file name of the TektonChain CR.

  3. Check the status of the installation. 

    $ oc get tektonchains.operator.tekton.dev
    Copy to Clipboard Toggle word wrap

1.3. Configuring Tekton Chains
Copy link

Tekton Chains uses a ConfigMap object named chains-config in the openshift-pipelines namespace for configuration.

To configure Tekton Chains, use the following example:

Example: Configuring Tekton Chains

$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}'
1
Copy to Clipboard Toggle word wrap

1
Use a combination of supported key-value pairs in the JSON payload.

Cluster administrators can use various supported keys and values to configure specifications about task runs, OCI images, and storage.

1.3.1.1. Supported keys for task run
Copy link
Expand
Table 1.1. Chains configuration: Supported keys for task run
Supported keysDescriptionSupported valuesDefault values

artifacts.taskrun.format

The format to store task run payloads.

tekton, in-toto

tekton

artifacts.taskrun.storage

The storage backend for task run signatures. You can specify multiple backends as a comma-separated list, such as “tekton,oci”. To disable this artifact, provide an empty string “”.

tekton, oci

tekton

artifacts.taskrun.signer

The signature backend to sign task run payloads.

x509

x509

1.3.1.2. Supported keys for OCI
Copy link
Expand
Table 1.2. Chains configuration: Supported keys for OCI
Supported keysDescriptionSupported valuesDefault values

artifacts.oci.format

The format to store OCI payloads.

simplesigning

simplesigning

artifacts.oci.storage

The storage backend to for OCI signatures. You can specify multiple backends as a comma-separated list, such as “oci,tekton”. To disable the OCI artifact, provide an empty string “”.

tekton, oci

oci

artifacts.oci.signer

The signature backend to sign OCI payloads.

x509, cosign

x509

1.3.1.3. Supported keys for storage
Copy link
Expand
Table 1.3. Chains configuration: Supported keys for storage
Supported keysDescriptionSupported valuesDefault values

artifacts.oci.repository

The OCI repository to store OCI signatures.

Currently, Chains support only the internal OpenShift OCI registry; other popular options such as Quay is not supported.

 

1.4. Signing secrets in Tekton Chains
Copy link

Cluster administrators can generate a key pair and use Tekton Chains to sign artifacts using a Kubernetes secret. For Tekton Chains to work, a private key and a password for encrypted keys must exist as part of the signing-secrets Kubernetes secret, in the openshift-pipelines namespace.

Currently, Tekton Chains supports the x509 and cosign signature schemes.

Note

Use only one of the supported signature schemes.

1.4.1. Signing using x509
Copy link

To use the x509 signing scheme with Tekton Chains, store the x509.pem private key of the ed25519 or ecdsa type in the signing-secrets Kubernetes secret. Ensure that the key is stored as an unencrypted PKCS8 PEM file (BEGIN PRIVATE KEY).

1.4.2. Signing using cosign
Copy link

To use the cosign signing scheme with Tekton Chains:

  1. Install cosign.

  2. Generate the cosign.key and cosign.pub key pairs. 

    $ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
    Copy to Clipboard Toggle word wrap

    Cosign prompts you for a password, and creates a Kubernetes secret.

  3. Store the encrypted cosign.key private key and the cosign.password decryption password in the signing-secrets Kubernetes secret. Ensure that the private key is stored as an encrypted PEM file of the ENCRYPTED COSIGN PRIVATE KEY type.

1.4.3. Troubleshooting signing
Copy link

If the signing secrets are already populated, you might get the following error: 

Error from server (AlreadyExists): secrets "signing-secrets" already exists
Copy to Clipboard Toggle word wrap

To resolve the error:

  1. Delete the secrets: 

    $ oc delete secret signing-secrets -n openshift-pipelines
    Copy to Clipboard Toggle word wrap
  2. Recreate the key pairs and store them in the secrets using your preferred signing scheme.

1.5. Authenticating to an OCI registry
Copy link

Before pushing signatures to an OCI registry, cluster administrators must configure Tekton Chains to authenticate with the registry. The Tekton Chains controller uses the same service account under which the task runs execute. To set up a service account with the necessary credentials for pushing signatures to an OCI registry, perform the following steps:

Procedure

  1. Set the namespace and name of the Kubernetes service account. 

    $ export NAMESPACE=<namespace>
    1 
    
$ export SERVICE_ACCOUNT_NAME=<service_account>
    2
    Copy to Clipboard Toggle word wrap
    1
    The namespace associated with the service account.
    2
    The name of the service account.

  2. Create a Kubernetes secret. 

    $ oc create secret registry-credentials \
  --from-file=.dockerconfigjson \
    1 
    
  --type=kubernetes.io/dockerconfigjson \
  -n $NAMESPACE
    Copy to Clipboard Toggle word wrap
    1
    Substitute with the path to your Docker config file. Default path is ~/.docker/config.json.

  3. Give the service account access to the secret. 

    $ oc patch serviceaccount $SERVICE_ACCOUNT_NAME \
  -p "{\"imagePullSecrets\": [{\"name\": \"registry-credentials\"}]}" -n $NAMESPACE
    Copy to Clipboard Toggle word wrap

    If you patch the default pipeline service account that Red Hat OpenShift Pipelines assigns to all task runs, the Red Hat OpenShift Pipelines Operator will override the service account. As a best practice, you can perform the following steps:

    1. Create a separate service account to assign to user’s task runs. 

      $ oc create serviceaccount <service_account_name>
      Copy to Clipboard Toggle word wrap

    2. Associate the service account to the task runs by setting the value of the serviceaccountname field in the task run template. 

      apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: build-push-task-run-2
spec:
serviceAccountName: build-bot
      1 
      
taskRef:
  name: build-push
...
      Copy to Clipboard Toggle word wrap
      1
      Substitute with the name of the newly created service account.

To verify signatures of task runs using Tekton Chains with any additional authentication, perform the following tasks:

  • Create an encrypted x509 key pair and save it as a Kubernetes secret.
  • Configure the Tekton Chains backend storage.
  • Create a task run, sign it, and store the signature and the payload as annotations on the task run itself.
  • Retrieve the signature and payload from the signed task run.
  • Verify the signature of the task run.

Prerequisites

Ensure that the following are installed on the cluster:

  • Red Hat OpenShift Pipelines Operator
  • Tekton Chains
  • Cosign

Procedure

  1. Create an encrypted x509 key pair and save it as a Kubernetes secret: 

    $ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
    Copy to Clipboard Toggle word wrap

    Provide a password when prompted. Cosign stores the resulting private key as part of the signing-secrets Kubernetes secret in the openshift-pipelines namespace.

  2. In the Tekton Chains configuration, disable the OCI storage, and set the task run storage and format to tekton. 

    $ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.oci.storage": "", "artifacts.taskrun.format":"tekton", "artifacts.taskrun.storage": "tekton"}}'
    Copy to Clipboard Toggle word wrap

  3. Restart the Tekton Chains controller to ensure that the modified configuration is applied. 

    $ oc delete po -n openshift-pipelines -l app=tekton-chains-controller
    Copy to Clipboard Toggle word wrap

  4. Create a task run. 

    $ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml
    1 
    
taskrun.tekton.dev/build-push-run-output-image-qbjvh created
    Copy to Clipboard Toggle word wrap
    1
    Substitute with the URI or file path pointing to your task run.

  5. Check the status of the steps, and wait till the process finishes. 

    $ tkn tr describe --last
[...truncated output...]
NAME                            STATUS
∙ create-dir-builtimage-9467f   Completed
∙ git-source-sourcerepo-p2sk8   Completed
∙ build-and-push                Completed
∙ echo                          Completed
∙ image-digest-exporter-xlkn7   Completed
    Copy to Clipboard Toggle word wrap

  6. Retrieve the signature and payload from the object stored as base64 encoded annotations: 

    $ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')
$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" > signature
$ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/payload-taskrun-$TASKRUN_UID}" | base64 -d > payload
    Copy to Clipboard Toggle word wrap

  7. Verify the signature. 

    $ cosign verify-blob --key k8s://openshift-pipelines/signing-secrets --signature ./signature ./payload
Verified OK
    Copy to Clipboard Toggle word wrap

Cluster administrators can use Tekton Chains to sign and verify images and provenances, by performing the following tasks:

  • Create an encrypted x509 key pair and save it as a Kubernetes secret.
  • Set up authentication for the OCI registry to store images, image signatures, and signed image attestations.
  • Configure Tekton Chains to generate and sign provenance.
  • Create an image with Kaniko in a task run.
  • Verify the signed image and the signed provenance.

Prerequisites

Ensure that the following are installed on the cluster:

  • Red Hat OpenShift Pipelines Operator
  • Tekton Chains
  • Cosign
  • Rekor
  • jq

Procedure

  1. Create an encrypted x509 key pair and save it as a Kubernetes secret: 

    $ cosign generate-key-pair k8s://openshift-pipelines/signing-secrets
    Copy to Clipboard Toggle word wrap

    Provide a password when prompted. Cosign stores the resulting private key as part of the signing-secrets Kubernetes secret in the openshift-pipelines namespace, and writes the public key to the cosign.pub local file.

  2. Configure authentication for the image registry.

    1. To configure the Tekton Chains controller for pushing signature to an OCI registry, use the credentials associated with the service account of the task run. For detailed information, see the "Authenticating to an OCI registry" section.

    2. To configure authentication for a Kaniko task that builds and pushes image to the registry, create a Kubernetes secret of the docker config.json file containing the required credentials. 

      $ oc create secret generic <docker_config_secret_name> \
      1 
      
  --from-file <path_to_config.json>
      2
      Copy to Clipboard Toggle word wrap
      1
      Substitute with the name of the docker config secret.
      2
      Substitute with the path to docker config.json file.

  3. Configure Tekton Chains by setting the artifacts.taskrun.format, artifacts.taskrun.storage, and transparency.enabled parameters in the chains-config object: 

    $ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'

$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"artifacts.taskrun.storage": "oci"}}'

$ oc patch configmap chains-config -n openshift-pipelines -p='{"data":{"transparency.enabled": "true"}}'
    Copy to Clipboard Toggle word wrap

  4. Start the Kaniko task.

    1. Apply the Kaniko task to the cluster. 

      $ oc apply -f examples/kaniko/kaniko.yaml
      1
      Copy to Clipboard Toggle word wrap
      1
      Substitute with the URI or file path to your Kaniko task.

    2. Set the appropriate environment variables. 

      $ export REGISTRY=<url_of_registry>
      1 
      

$ export DOCKERCONFIG_SECRET_NAME=<name_of_the_secret_in_docker_config_json>
      2
      Copy to Clipboard Toggle word wrap
      1
      Substitute with the URL of the registry where you want to push the image.
      2
      Substitute with the name of the secret in the docker config.json file.

    3. Start the Kaniko task. 

      $ tkn task start --param IMAGE=$REGISTRY/kaniko-chains --use-param-defaults --workspace name=source,emptyDir="" --workspace name=dockerconfig,secret=$DOCKERCONFIG_SECRET_NAME kaniko-chains
      Copy to Clipboard Toggle word wrap

      Observe the logs of this task until all steps are complete. On successful authentication, the final image will be pushed to $REGISTRY/kaniko-chains.

  5. Wait for a minute to allow Tekton Chains to generate the provenance and sign it, and then check the availability of the chains.tekton.dev/signed=true annotation on the task run. 

    $ oc get tr <task_run_name> \
    1 
    
-o json | jq -r .metadata.annotations

{
  "chains.tekton.dev/signed": "true",
  ...
}
    Copy to Clipboard Toggle word wrap
    1
    Substitute with the name of the task run.

  6. Verify the image and the attestation. 

    $ cosign verify --key cosign.pub $REGISTRY/kaniko-chains

$ cosign verify-attestation --key cosign.pub $REGISTRY/kaniko-chains
    Copy to Clipboard Toggle word wrap

  7. Find the provenance for the image in Rekor.

    1. Get the digest of the $REGISTRY/kaniko-chains image. You can search for it ing the task run, or pull the image to extract the digest.

    2. Search Rekor to find all entries that match the sha256 digest of the image. 

      $ rekor-cli search --sha <image_digest>
      1 
      

<uuid_1>
      2 
      
<uuid_2>
      3 
      
...
      Copy to Clipboard Toggle word wrap
      1
      Substitute with the sha256 digest of the image.
      2
      The first matching universally unique identifier (UUID).
      3
      The second matching UUID.

      The search result displays UUIDs of the matching entries. One of those UUIDs holds the attestation.

    3. Check the attestation. 

      $ rekor-cli get --uuid <uuid> --format json | jq -r .Attestation | base64 --decode | jq
      Copy to Clipboard Toggle word wrap

The default configuration of OpenShift Pipelines 1.3.x and later versions does not allow you to run pods with privileged security context, if the pods result from pipeline run or task run. For such pods, the default service account is pipeline, and the security context constraint (SCC) associated with the pipeline service account is pipelines-scc. The pipelines-scc SCC is similar to the anyuid SCC, but with minor differences as defined in the YAML file for the SCC of pipelines:

Example pipelines-scc.yaml snippet

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
...
allowedCapabilities:
  - SETFCAP
...
fsGroup:
  type: MustRunAs
...
Copy to Clipboard Toggle word wrap

In addition, the Buildah cluster task, shipped as part of OpenShift Pipelines, uses vfs as the default storage driver.

Procedure

To run a pod (resulting from pipeline run or task run) with the privileged security context, do the following modifications:

  • Configure the associated user account or service account to have an explicit SCC. You can perform the configuration using any of the following methods:

    • Run the following command: 

      $ oc adm policy add-scc-to-user <scc-name> -z <service-account-name>
      Copy to Clipboard Toggle word wrap

    • Alternatively, modify the YAML files for RoleBinding, and Role or ClusterRole:

      Example RoleBinding object

      apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: service-account-name
      1 
      
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pipelines-scc-clusterrole
      2 
      
subjects:
- kind: ServiceAccount
  name: pipeline
  namespace: default
      Copy to Clipboard Toggle word wrap

      1
      Substitute with an appropriate service account name.
      2
      Substitute with an appropriate cluster role based on the role binding you use.

      Example ClusterRole object

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-scc-clusterrole
      1 
      
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot
  resources:
  - securitycontextconstraints
  verbs:
  - use
      Copy to Clipboard Toggle word wrap

      1
      Substitute with an appropriate cluster role based on the role binding you use.
    Note

    As a best practice, create a copy of the default YAML files and make changes in the duplicate file.

  • If you do not use the vfs storage driver, configure the service account associated with the task run or the pipeline run to have a privileged SCC, and set the security context as privileged: true.

When using the pipelines-scc security context constraint (SCC) associated with the default pipelines service account, the pipeline run and task run pods may face timeouts. This happens because in the default pipelines-scc SCC, the fsGroup.type parameter is set to MustRunAs.

Note

For more information about pod timeouts, see BZ#1995779.

To avoid pod timeouts, you can create a custom SCC with the fsGroup.type parameter set to RunAsAny, and associate it with a custom service account.

Note

As a best practice, use a custom SCC and a custom service account for pipeline runs and task runs. This approach allows greater flexibility and does not break the runs when the defaults are modified during an upgrade.

Procedure

  1. Define a custom SCC with the fsGroup.type parameter set to RunAsAny:

    Example: Custom SCC

    apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: my-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - RunAsAny.
  name: my-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
    Copy to Clipboard Toggle word wrap

  2. Create the custom SCC:

    Example: Create the my-scc SCC

    $ oc create -f my-scc.yaml
    Copy to Clipboard Toggle word wrap

  3. Create a custom service account:

    Example: Create a fsgroup-runasany service account

    $ oc create serviceaccount fsgroup-runasany
    Copy to Clipboard Toggle word wrap

  4. Associate the custom SCC with the custom service account:

    Example: Associate the my-scc SCC with the fsgroup-runasany service account

    $ oc adm policy add-scc-to-user my-scc -z fsgroup-runasany
    Copy to Clipboard Toggle word wrap

    If you want to use the custom service account for privileged tasks, you can associate the privileged SCC with the custom service account by running the following command:

    Example: Associate the privileged SCC with the fsgroup-runasany service account

    $ oc adm policy add-scc-to-user privileged -z fsgroup-runasany
    Copy to Clipboard Toggle word wrap

  5. Use the custom service account in the pipeline run and task run:

    Example: Pipeline run YAML with fsgroup-runasany custom service account

    apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: <pipeline-run-name>
spec:
  pipelineRef:
    name: <pipeline-cluster-task-name>
  serviceAccountName: 'fsgroup-runasany'
    Copy to Clipboard Toggle word wrap

    Example: Task run YAML with fsgroup-runasany custom service account

    apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: <task-run-name>
spec:
  taskRef:
    name: <cluster-task-name>
  serviceAccountName: 'fsgroup-runasany'
    Copy to Clipboard Toggle word wrap

Chapter 3. Securing webhooks with event listeners
Copy link

As an administrator, you can secure webhooks with event listeners. After creating a namespace, you enable HTTPS for the Eventlistener resource by adding the operator.tekton.dev/enable-annotation=enabled label to the namespace. Then, you create a Trigger resource and a secured route using the re-encrypted TLS termination.

Triggers in Red Hat OpenShift Pipelines support insecure HTTP and secure HTTPS connections to the Eventlistener resource. HTTPS secures connections within and outside the cluster.

Red Hat OpenShift Pipelines runs a tekton-operator-proxy-webhook pod that watches for the labels in the namespace. When you add the label to the namespace, the webhook sets the service.beta.openshift.io/serving-cert-secret-name=<secret_name> annotation on the EventListener object. This, in turn, creates secrets and the required certificates. 

service.beta.openshift.io/serving-cert-secret-name=<secret_name>
Copy to Clipboard Toggle word wrap

In addition, you can mount the created secret into the Eventlistener pod to secure the request.

To create a route with the re-encrypted TLS termination, run: 

$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>
Copy to Clipboard Toggle word wrap

Alternatively, you can create a re-encrypted TLS termination YAML file to create a secure route.

Example re-encrypt TLS termination YAML to create a secure route

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: route-passthrough-secured
1 

spec:
  host: <hostname>
  to:
    kind: Service
    name: frontend
2 

  tls:
    termination: reencrypt
3 

    key: [as in edge termination]
    certificate: [as in edge termination]
    caCertificate: [as in edge termination]
    destinationCACertificate: |-
4 

      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
Copy to Clipboard Toggle word wrap

1 2
The name of the object, which is limited to only 63 characters.
3
The termination field is set to reencrypt. This is the only required TLS field.
4
This is required for re-encryption. The destinationCACertificate field specifies a CA certificate to validate the endpoint certificate, thus securing the connection from the router to the destination pods. You can omit this field in either of the following scenarios:
  • The service uses a service signing certificate.
  • The administrator specifies a default CA certificate for the router, and the service has a certificate signed by that CA.

You can run the oc create route reencrypt --help command to display more options.

This section uses the pipelines-tutorial example to demonstrate creation of a sample EventListener resource using a secure HTTPS connection.

Procedure

  1. Create the TriggerBinding resource from the YAML file available in the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/01_binding.yaml
    Copy to Clipboard Toggle word wrap

  2. Create the TriggerTemplate resource from the YAML file available in the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/02_template.yaml
    Copy to Clipboard Toggle word wrap

  3. Create the Trigger resource directly from the pipelines-tutorial repository: 

    $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/03_trigger.yaml
    Copy to Clipboard Toggle word wrap

  4. Create an EventListener resource using a secure HTTPS connection:

    1. Add a label to enable the secure HTTPS connection to the Eventlistener resource: 

      $ oc label namespace <ns-name> operator.tekton.dev/enable-annotation=enabled
      Copy to Clipboard Toggle word wrap

    2. Create the EventListener resource from the YAML file available in the pipelines-tutorial repository: 

      $ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/04_event_listener.yaml
      Copy to Clipboard Toggle word wrap

    3. Create a route with the re-encrypted TLS termination: 

      $ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>
      Copy to Clipboard Toggle word wrap

A Git secret consists of credentials to securely interact with a Git repository, and is often used to automate authentication. In Red Hat OpenShift Pipelines, you can use Git secrets to authenticate pipeline runs and task runs that interact with a Git repository during execution.

A pipeline run or a task run gains access to the secrets through the associated service account. OpenShift Pipelines support the use of Git secrets as annotations (key-value pairs) for basic authentication and SSH-based authentication.

4.1. Credential selection
Copy link

A pipeline run or task run might require multiple authentications to access different Git repositories. Annotate each secret with the domains where OpenShift Pipelines can use its credentials.

A credential annotation key for Git secrets must begin with tekton.dev/git-, and its value is the URL of the host for which you want OpenShift Pipelines to use that credential.

In the following example, OpenShift Pipelines uses a basic-auth secret, which relies on a username and password, to access repositories at github.com and gitlab.com.

Example: Multiple credentials for basic authentication

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tekton.dev/git-0: github.com
    tekton.dev/git-1: gitlab.com
type: kubernetes.io/basic-auth
stringData:
  username: <username>
1 

  password: <password>
2
Copy to Clipboard Toggle word wrap

1
Username for the repository
2
Password or personal access token for the repository

You can also use an ssh-auth secret (private key) to access a Git repository.

Example: Private key for SSH based authentication

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tekton.dev/git-0: https://github.com
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey:
1
Copy to Clipboard Toggle word wrap

1
The content of the SSH private key file.

4.2. Configuring basic authentication for Git
Copy link

For a pipeline to retrieve resources from password-protected repositories, you must configure the basic authentication for that pipeline.

To configure basic authentication for a pipeline, update the secret.yaml, serviceaccount.yaml, and run.yaml files with the credentials from the Git secret for the specified repository. When you complete this process, OpenShift Pipelines can use that information to retrieve the specified pipeline resources.

Note

For GitHub, authentication using plain password is deprecated. Instead, use a personal access token.

Procedure

  1. In the secret.yaml file, specify the username and password or GitHub personal access token to access the target Git repository. 

    apiVersion: v1
kind: Secret
metadata:
  name: basic-user-pass
    1 
    
  annotations:
    tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
  username: <username>
    2 
    
  password: <password>
    3
    Copy to Clipboard Toggle word wrap
    1
    Name of the secret. In this example, basic-user-pass.
    2
    Username for the Git repository.
    3
    Password for the Git repository.

  2. In the serviceaccount.yaml file, associate the secret with the appropriate service account. 

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
    1 
    
secrets:
  - name: basic-user-pass
    2
    Copy to Clipboard Toggle word wrap
    1
    Name of the service account. In this example, build-bot.
    2
    Name of the secret. In this example, basic-user-pass.

  3. In the run.yaml file, associate the service account with a task run or a pipeline run.

    • Associate the service account with a task run: 

      apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-push-task-run-2
      1 
      
spec:
  serviceAccountName: build-bot
      2 
      
  taskRef:
    name: build-push
      3
      Copy to Clipboard Toggle word wrap
      1
      Name of the task run. In this example, build-push-task-run-2.
      2
      Name of the service account. In this example, build-bot.
      3
      Name of the task. In this example, build-push.

    • Associate the service account with a PipelineRun resource: 

      apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: demo-pipeline
      1 
      
  namespace: default
spec:
  serviceAccountName: build-bot
      2 
      
  pipelineRef:
    name: demo-pipeline
      3
      Copy to Clipboard Toggle word wrap
      1
      Name of the pipeline run. In this example, demo-pipeline.
      2
      Name of the service account. In this example, build-bot.
      3
      Name of the pipeline. In this example, demo-pipeline.

  4. Apply the changes. 

    $ oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
    Copy to Clipboard Toggle word wrap

4.3. Configuring SSH authentication for Git
Copy link

For a pipeline to retrieve resources from repositories configured with SSH keys, you must configure the SSH-based authentication for that pipeline.

To configure SSH-based authentication for a pipeline, update the secret.yaml, serviceaccount.yaml, and run.yaml files with the credentials from the SSH private key for the specified repository. When you complete this process, OpenShift Pipelines can use that information to retrieve the specified pipeline resources.

Note

Consider using SSH-based authentication rather than basic authentication.

Procedure

  1. Generate an SSH private key, or copy an existing private key, which is usually available in the ~/.ssh/id_rsa file.

  2. In the secret.yaml file, set the value of ssh-privatekey to the content of the SSH private key file, and set the value of known_hosts to the content of the known hosts file. 

    apiVersion: v1
kind: Secret
metadata:
  name: ssh-key
    1 
    
  annotations:
    tekton.dev/git-0: github.com
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey:
    2 
    
  known_hosts:
    3
    Copy to Clipboard Toggle word wrap
    1
    Name of the secret containing the SSH private key. In this example, ssh-key.
    2
    The content of the SSH private key file.
    3
    The content of the known hosts file.
    Important

    If you omit the private key, OpenShift Pipelines accepts the public key of any server.

  3. Optional: To specify a custom SSH port, add :<port number> to the end of the annotation value. For example, tekton.dev/git-0: github.com:2222.

  4. In the serviceaccount.yaml file, associate the ssh-key secret with the build-bot service account. 

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-bot
    1 
    
secrets:
  - name: ssh-key
    2
    Copy to Clipboard Toggle word wrap
    1
    Name of the service account. In this example, build-bot.
    2
    Name of the secret containing the SSH private key. In this example, ssh-key.

  5. In the run.yaml file, associate the service account with a task run or a pipeline run.

    • Associate the service account with a task run: 

      apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: build-push-task-run-2
      1 
      
spec:
  serviceAccountName: build-bot
      2 
      
  taskRef:
    name: build-push
      3
      Copy to Clipboard Toggle word wrap
      1
      Name of the task run. In this example, build-push-task-run-2.
      2
      Name of the service account. In this example, build-bot.
      3
      Name of the task. In this example, build-push.

    • Associate the service account with a pipeline run: 

      apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: demo-pipeline
      1 
      
  namespace: default
spec:
  serviceAccountName: build-bot
      2 
      
  pipelineRef:
    name: demo-pipeline
      3
      Copy to Clipboard Toggle word wrap
      1
      Name of the pipeline run. In this example, demo-pipeline.
      2
      Name of the service account. In this example, build-bot.
      3
      Name of the pipeline. In this example, demo-pipeline.

  6. Apply the changes. 

    $ oc apply --filename secret.yaml,serviceaccount.yaml,run.yaml
    Copy to Clipboard Toggle word wrap

4.4. Using SSH authentication in git type tasks
Copy link

When invoking Git commands, you can use SSH authentication directly in the steps of a task. SSH authentication ignores the $HOME variable and only uses the user’s home directory specified in the /etc/passwd file. So each step in a task must symlink the /tekton/home/.ssh directory to the home directory of the associated user.

However, explicit symlinks are not necessary when you use a pipeline resource of the git type, or the git-clone task available in the Tekton catalog.

As an example of using SSH authentication in git type tasks, refer to authenticating-git-commands.yaml.

4.5. Using secrets as a non-root user
Copy link

You might need to use secrets as a non-root user in certain scenarios, such as:

  • The users and groups that the containers use to execute runs are randomized by the platform.
  • The steps in a task define a non-root security context.
  • A task specifies a global non-root security context, which applies to all steps in a task.

In such scenarios, consider the following aspects of executing task runs and pipeline runs as a non-root user:

  • SSH authentication for Git requires the user to have a valid home directory configured in the /etc/passwd directory. Specifying a UID that has no valid home directory results in authentication failure.
  • SSH authentication ignores the $HOME environment variable. So you must or symlink the appropriate secret files from the $HOME directory defined by OpenShift Pipelines (/tekton/home), to the non-root user’s valid home directory.

In addition, to configure SSH authentication in a non-root security context, refer to the example for authenticating git commands.

4.6. Limiting secret access to specific steps
Copy link

By default, the secrets for OpenShift Pipelines are stored in the $HOME/tekton/home directory, and are available for all the steps in a task.

To limit a secret to specific steps, use the secret definition to specify a volume, and mount the volume in specific steps.

Running OpenShift Pipelines as the root user on a container can expose the container processes and the host to other potentially malicious resources. You can reduce this type of exposure by running the workload as a specific non-root user in the container. To run builds of container images using Buildah as a non-root user, you can perform the following steps:

  • Define custom service account (SA) and security context constraint (SCC).
  • Configure Buildah to use the build user with id 1000.
  • Start a task run with a custom config map, or integrate it with a pipeline run.

The default pipeline SA allows using a user id outside of the namespace range. To reduce dependency on the default SA, you can define a custom SA and SCC with necessary cluster role and role bindings for the build user with user id 1000.

Important

At this time, enabling the allowPrivilegeEscalation setting is required for Buildah to run successfully in the container. With this setting, Buildah can leverage SETUID and SETGID capabilities when running as a non-root user.

Procedure

  • Create a custom SA and SCC with necessary cluster role and role bindings.

    Example: Custom SA and SCC for used id 1000

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: pipelines-sa-userid-1000
    1 
    
---
kind: SecurityContextConstraints
metadata:
  annotations:
  name: pipelines-scc-userid-1000
    2 
    
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
    3 
    
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
- KILL
runAsUser:
    4 
    
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pipelines-scc-userid-1000-clusterrole
    5 
    
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - pipelines-scc-userid-1000
  resources:
  - securitycontextconstraints
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pipelines-scc-userid-1000-rolebinding
    6 
    
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pipelines-scc-userid-1000-clusterrole
subjects:
- kind: ServiceAccount
  name: pipelines-sa-userid-1000
    Copy to Clipboard Toggle word wrap

1
Define a custom SA.
2
Define a custom SCC created based on restricted privileges, with modified runAsUser field.
3
At this time, enabling the allowPrivilegeEscalation setting is required for Buildah to run successfully in the container. With this setting, Buildah can leverage SETUID and SETGID capabilities when running as a non-root user.
4
Restrict any pod that gets attached with the custom SCC through the custom SA to run as user id 1000.
5
Define a cluster role that uses the custom SCC.
6
Bind the cluster role that uses the custom SCC to the custom SA.

5.2. Configuring Buildah to use build user
Copy link

You can define a Buildah task to use the build user with user id 1000.

Procedure

  1. Create a copy of the buildah cluster task as an ordinary task. 

    $ oc get clustertask buildah -o yaml | yq '. |= (del .metadata |= with_entries(select(.key == "name" )))' | yq '.kind="Task"' | yq '.metadata.name="buildah-as-user"' | oc create -f -
    Copy to Clipboard Toggle word wrap

  2. Edit the copied buildah task. 

    $ oc edit task buildah-as-user
    Copy to Clipboard Toggle word wrap

    Example: Modified Buildah task with build user

    apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: buildah-as-user
spec:
  description: >-
    Buildah task builds source into a container image and
    then pushes it to a container registry.
    Buildah Task builds source into a container image using Project Atomic's
    Buildah build tool.It uses Buildah's support for building from Dockerfiles,
    using its buildah bud command.This command executes the directives in the
    Dockerfile to assemble a container image, then pushes that image to a
    container registry.
  params:
  - name: IMAGE
    description: Reference of the image buildah will produce.
  - name: BUILDER_IMAGE
    description: The location of the buildah builder image.
    default: registry.redhat.io/rhel8/buildah@sha256:99cae35f40c7ec050fed3765b2b27e0b8bbea2aa2da7c16408e2ca13c60ff8ee
  - name: STORAGE_DRIVER
    description: Set buildah storage driver
    default: vfs
  - name: DOCKERFILE
    description: Path to the Dockerfile to build.
    default: ./Dockerfile
  - name: CONTEXT
    description: Path to the directory to use as context.
    default: .
  - name: TLSVERIFY
    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
    default: "true"
  - name: FORMAT
    description: The format of the built container, oci or docker
    default: "oci"
  - name: BUILD_EXTRA_ARGS
    description: Extra parameters passed for the build command when building images.
    default: ""
  - description: Extra parameters passed for the push command when pushing images.
    name: PUSH_EXTRA_ARGS
    type: string
    default: ""
  - description: Skip pushing the built image
    name: SKIP_PUSH
    type: string
    default: "false"
  results:
  - description: Digest of the image just built.
    name: IMAGE_DIGEST
    type: string
  workspaces:
  - name: source
  steps:
  - name: build
    securityContext:
      runAsUser: 1000
    1 
    
    image: $(params.BUILDER_IMAGE)
    workingDir: $(workspaces.source.path)
    script: |
      echo "Running as USER ID `id`"
    2 
    
      buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
        $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
        --tls-verify=$(params.TLSVERIFY) --no-cache \
        -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
      [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
      buildah --storage-driver=$(params.STORAGE_DRIVER) push \
        $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
        --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \
        docker://$(params.IMAGE)
      cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
    volumeMounts:
    - name: varlibcontainers
      mountPath: /home/build/.local/share/containers
    3 
    
  volumes:
  - name: varlibcontainers
    emptyDir: {}
    Copy to Clipboard Toggle word wrap

    1
    Run the container explicitly as the user id 1000, which corresponds to the build user in the Buildah image.
    2
    Display the user id to confirm that the process is running as user id 1000.
    3
    You can change the path for the volume mount as necessary.

After defining the custom Buildah cluster task, you can create a TaskRun object that builds an image as a build user with user id 1000. In addition, you can integrate the TaskRun object as part of a PipelineRun object.

Procedure

  1. Create a TaskRun object with a custom ConfigMap and Dockerfile objects.

    Example: A task run that runs Buildah as user id 1000

    apiVersion: v1
data:
  Dockerfile: |
    ARG BASE_IMG=registry.access.redhat.com/ubi8/ubi
    FROM $BASE_IMG AS buildah-runner
    RUN dnf -y update && \
        dnf -y install git && \
        dnf clean all
    CMD git
kind: ConfigMap
metadata:
  name: dockerfile
    1 
    
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: buildah-as-user-1000
spec:
  serviceAccountName: pipelines-sa-userid-1000
    2 
    
  params:
  - name: IMAGE
    value: image-registry.openshift-image-registry.svc:5000/test/buildahuser
  taskRef:
    kind: Task
    name: buildah-as-user
  workspaces:
  - configMap:
      name: dockerfile
    3 
    
    name: source
    Copy to Clipboard Toggle word wrap

    1
    Use a config map because the focus is on the task run, without any prior task that fetches some sources with a Dockerfile.
    2
    The name of the service account that you created.
    3
    Mount a config map as the source workspace for the buildah-as-user task.

  2. (Optional) Create a pipeline and a corresponding pipeline run.

    Example: A pipeline and corresponding pipeline run

    apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: pipeline-buildah-as-user-1000
spec:
  params:
  - name: IMAGE
  - name: URL
  workspaces:
  - name: shared-workspace
  - name: sslcertdir
    optional: true
  tasks:
  - name: fetch-repository
    1 
    
    taskRef:
      name: git-clone
      kind: ClusterTask
    workspaces:
    - name: output
      workspace: shared-workspace
    params:
    - name: url
      value: $(params.URL)
    - name: subdirectory
      value: ""
    - name: deleteExisting
      value: "true"
  - name: buildah
    taskRef:
      name: buildah-as-user
    2 
    
    runAfter:
    - fetch-repository
    workspaces:
    - name: source
      workspace: shared-workspace
    - name: sslcertdir
      workspace: sslcertdir
    params:
    - name: IMAGE
      value: $(params.IMAGE)
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: pipelinerun-buildah-as-user-1000
spec:
  taskRunSpecs:
    - pipelineTaskName: buildah
      taskServiceAccountName: pipelines-sa-userid-1000
    3 
    
  params:
  - name: URL
    value: https://github.com/openshift/pipelines-vote-api
  - name: IMAGE
    value: image-registry.openshift-image-registry.svc:5000/test/buildahuser
  pipelineRef:
    name: pipeline-buildah-as-user-1000
  workspaces:
  - name: shared-workspace
    4 
    
    volumeClaimTemplate:
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 100Mi
    Copy to Clipboard Toggle word wrap

    1
    Use the git-clone cluster task to fetch the source containing a Dockerfile and build it using the modified Buildah task.
    2
    Refer to the modified Buildah task.
    3
    Use the service account that you created for the Buildah task.
    4
    Share data between the git-clone task and the modified Buildah task using a persistent volume claim (PVC) created automatically by the controller.
  3. Start the task run or the pipeline run.

5.4. Limitations of unprivileged builds
Copy link

The process for unprivileged builds works with most Dockerfile objects. However, there are some known limitations might cause a build to fail:

  • Using the --mount=type=cache option might fail due to lack of necessay permissions issues. For more information, see this article.
  • Using the --mount=type=secret option fails because mounting resources requires additionnal capabilities that are not provided by the custom SCC.

Additional resources

Legal Notice
Copy link

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top