Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 7. Using buildah-ns Tekton task

The buildah-ns Tekton task builds Open Container Initiative (OCI) images without requiring a container runtime daemon, such as the Docker daemon. The task uses buildah and applies user namespace isolation to provide enhanced security.

After a successful build, the task produces the following results:

  • The fully qualified image name
  • The SHA256 digest of the image

The buildah-ns task is functionally identical to the standard buildah Tekton task, but applies additional security mechanisms to improve container isolation at the kernel level.

7.1. Differences between buildah and buildah-ns tasks
Copia collegamento

The buildah-ns task extends the standard buildah task with the following security-focused changes:

  • Task name: The task is named buildah-ns instead of buildah.

  • Annotations: The task includes security annotations that enable automatic user namespace mapping: 

    io.kubernetes.cri-o.userns-mode: "auto"
io.openshift.builder: "true"
    Copy to Clipboard Toggle word wrap
  • Security model: User namespace separation improves privilege isolation and limits the impact of potential container escape vulnerabilities.

7.2. Security model of the buildah-ns task
Copia collegamento

The buildah-ns task applies user namespace isolation to provide privilege separation between containers and the host system.

7.2.1. UID mapping behavior
Copia collegamento

When the task runs with namespace annotations, user IDs (UIDs) are mapped as follows:

  • Inside the container: Processes run as UID 0, which appears as the root user.
  • Outside the container: The same processes run as a non-zero UID on the host system.

This mapping allows processes inside the container to behave as if they have root privileges while restricting their privileges on the host system.

7.2.2. Security benefits
Copia collegamento

User namespace isolation provides the following security advantages:

  • Kernel-level isolation: Adds an extra isolation boundary between containers.
  • Reduced privilege exposure: Limits the impact of compromised workloads by running them as non-root users on the host.
  • Container escape protection: Helps mitigate potential vulnerabilities that allow escaping from the container runtime environment.

7.3. Workspaces, parameters, and results for the buildah-ns task
Copia collegamento

The buildah-ns task requires a workspace, accepts several parameters for image build customization, and provides results that contain information about the built image.

7.3.1. Workspace
Copia collegamento

Expand
NameRequiredDescription

source

Yes

The build context for the container image. Typically contains application source code and a Containerfile or Dockerfile.

7.3.2. Parameters
Copia collegamento

Expand
NameTypeDefaultDescription

IMAGE

string

Required

Fully qualified name of the image to build, including tag.

CONTAINERFILE_PATH

string

Containerfile

Path to the container build file relative to the source workspace.

TLS_VERIFY

string

true

Whether to verify TLS when pushing images. Setting this value to true is recommended.

VERBOSE

string

false

Enables verbose build output.

SUBDIRECTORY

string

.

Subdirectory in the workspace to use as the build context.

STORAGE_DRIVER

string

overlay

Storage driver for Buildah, aligned with the cluster node configuration.

BUILD_EXTRA_ARGS

string

Empty

Additional flags for the Buildah build command.

PUSH_EXTRA_ARGS

string

Empty

Additional flags for the Buildah push command.

SKIP_PUSH

string

false

If set to true, the image is not pushed to the registry.

7.3.3. Results
Copia collegamento

Expand
NameDescription

IMAGE_URL

Fully qualified name of the built image.

IMAGE_DIGEST

SHA256 digest of the built image.

7.4. Running the buildah-ns task
Copia collegamento

You can run the buildah-ns task as part of a PipelineRun resource. 

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata: {}
spec:
  pipelineRef:
    name: task-buildah-ns
  params:
    - name: IMAGE
      value: your-image-name
1 

    - name: TLS_VERIFY
      value: true
    - name: VERBOSE
      value: false
  workspaces:
    - name: source
      persistentVolumeClaim:
        claimName: your-pvc-name
2
Copy to Clipboard Toggle word wrap
1
Replace your-image-name with the full name of the container image that you want to build.
2
Replace your-pvc-name with the name of the PersistentVolumeClaim (PVC) that stores the application source code.
Note

If the target container registry requires authentication, configure a Kubernetes secret for registry access and link it to the service account that runs the TaskRun or PipelineRun resources.

Additional resources

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat