Chapter 3. Configuring the security context for pods
The default service account for pods that OpenShift Pipelines starts is pipeline
. The security context constraint (SCC) associated with the pipeline
service account is pipelines-scc
. The pipelines-scc
SCC is based the anyuid
SCC, with minor differences as defined in the following YAML specification:
Example pipelines-scc.yaml
snippet
In addition, the Buildah
cluster task, shipped as part of OpenShift Pipelines, uses vfs
as the default storage driver.
You can configure the security context for pods that OpenShift Pipelines creates for pipeline runs and task runs. You can make the following changes:
- Change the default and maximum SCC for all pods
- Change the default SCC for pods created for pipeline runs and task runs in a particular namespace
- Configure a particular pipeline run or task run to use a custom SCC and service account
The simplest way to run buildah
that ensures all images can build is to run it as root in a pod with the privileged
SCC. For instructions about running buildah
with more restrictive security settings, see Building of container images using Buildah as a non-root user.
3.1. Configuring the default and maximum SCC for pods that OpenShift Pipelines creates Copy linkLink copied to clipboard!
You can configure the default security context constraint (SCC) for all pods that OpenShift Pipelines creates for task runs and pipeline runs. You can also configure the maximum SCC, which is the least restrictive SCC that can be configured for these pods in any namespace.
Procedure
Edit the
TektonConfig
custom resource (CR) by entering the following command:oc edit TektonConfig config
$ oc edit TektonConfig config
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the default and maximum SCC in the spec, as in the following example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
spec.platforms.openshift.scc.default
specifies the default SCC that OpenShift Pipelines attaches to the service account (SA) used for workloads, which is, by default, thepipeline
SA. This SCC is used for all pipeline run and task run pods.- 2
spec.platforms.openshift.scc.maxAllowed
specifies the least restrictive SCC that you can configure for pipeline run and task run pods in any namespace. This setting does not apply when you configure a custom SA and SCC in a particular pipeline run or task run.
3.2. Configuring the SCC for pods in a namespace Copy linkLink copied to clipboard!
You can configure the security context constraint (SCC) for all pods that OpenShift Pipelines creates for pipeline runs and task runs that you create in a particular namespace. This SCC must not be less restrictive than the maximum SCC that you configured using the TektonConfig
CR, in the spec.platforms.openshift.scc.maxAllowed
spec.
Procedure
Set the
operator.tekton.dev/scc
annotation for the namespace to the name of the SCC.Example namespace annotation for configuring the SCC for OpenShift Pipelines pods
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Running pipeline run and task run by using a custom SCC and a custom service account Copy linkLink copied to clipboard!
When using the pipelines-scc
security context constraint (SCC) associated with the default pipelines
service account, the pipeline run and task run pods might face timeouts. This happens because in the default pipelines-scc
SCC, the fsGroup.type
parameter is set to MustRunAs
.
For more information about pod timeouts, see BZ#1995779.
To avoid pod timeouts, you can create a custom SCC with the fsGroup.type
parameter set to RunAsAny
, and associate it with a custom service account.
As a best practice, use a custom SCC and a custom service account for pipeline runs and task runs. This approach allows greater flexibility and does not break the runs when the defaults are modified during an upgrade.
Procedure
Define a custom SCC with the
fsGroup.type
parameter set toRunAsAny
:Example: Custom SCC
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create the custom SCC:
Example: Create the
my-scc
SCCoc create -f my-scc.yaml
$ oc create -f my-scc.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a custom service account:
Example: Create a
fsgroup-runasany
service accountoc create serviceaccount fsgroup-runasany
$ oc create serviceaccount fsgroup-runasany
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Associate the custom SCC with the custom service account:
Example: Associate the
my-scc
SCC with thefsgroup-runasany
service accountoc adm policy add-scc-to-user my-scc -z fsgroup-runasany
$ oc adm policy add-scc-to-user my-scc -z fsgroup-runasany
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you want to use the custom service account for privileged tasks, you can associate the
privileged
SCC with the custom service account by running the following command:Example: Associate the
privileged
SCC with thefsgroup-runasany
service accountoc adm policy add-scc-to-user privileged -z fsgroup-runasany
$ oc adm policy add-scc-to-user privileged -z fsgroup-runasany
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use the custom service account in the pipeline run and task run:
Example: Pipeline run YAML with
fsgroup-runasany
custom service accountCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example: Task run YAML with
fsgroup-runasany
custom service accountCopy to Clipboard Copied! Toggle word wrap Toggle overflow