Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 7. Using buildah-ns Tekton task

The buildah-ns Tekton task builds Open Container Initiative (OCI) images without requiring a container runtime daemon, such as the Docker daemon. The task uses buildah and applies user namespace isolation to provide enhanced security.

After a successful build, the task produces the following results:

  • The fully qualified image name
  • The SHA256 digest of the image

The buildah-ns task is functionally identical to the standard buildah Tekton task, but applies additional security mechanisms to improve container isolation at the kernel level.

7.1. Differences between buildah and buildah-ns tasks
링크 복사

The buildah-ns task extends the standard buildah task with the following security-focused changes:

  • Task name: The task is named buildah-ns instead of buildah.

  • Annotations: The task includes security annotations that enable automatic user namespace mapping: 

    io.kubernetes.cri-o.userns-mode: "auto"
io.openshift.builder: "true"
    Copy to Clipboard Toggle word wrap
  • Security model: User namespace separation improves privilege isolation and limits the impact of potential container escape vulnerabilities.

7.2. Security model of the buildah-ns task
링크 복사

The buildah-ns task applies user namespace isolation to provide privilege separation between containers and the host system.

7.2.1. UID mapping behavior
링크 복사

When the task runs with namespace annotations, user IDs (UIDs) are mapped as follows:

  • Inside the container: Processes run as UID 0, which appears as the root user.
  • Outside the container: The same processes run as a non-zero UID on the host system.

This mapping allows processes inside the container to behave as if they have root privileges while restricting their privileges on the host system.

7.2.2. Security benefits
링크 복사

User namespace isolation provides the following security advantages:

  • Kernel-level isolation: Adds an extra isolation boundary between containers.
  • Reduced privilege exposure: Limits the impact of compromised workloads by running them as non-root users on the host.
  • Container escape protection: Helps mitigate potential vulnerabilities that allow escaping from the container runtime environment.

7.3. Workspaces, parameters, and results for the buildah-ns task
링크 복사

The buildah-ns task requires a workspace, accepts several parameters for image build customization, and provides results that contain information about the built image.

7.3.1. Workspace
링크 복사

Expand
NameRequiredDescription

source

Yes

The build context for the container image. Typically contains application source code and a Containerfile or Dockerfile.

7.3.2. Parameters
링크 복사

Expand
NameTypeDefaultDescription

IMAGE

string

Required

Fully qualified name of the image to build, including tag.

CONTAINERFILE_PATH

string

Containerfile

Path to the container build file relative to the source workspace.

TLS_VERIFY

string

true

Whether to verify TLS when pushing images. Setting this value to true is recommended.

VERBOSE

string

false

Enables verbose build output.

SUBDIRECTORY

string

.

Subdirectory in the workspace to use as the build context.

STORAGE_DRIVER

string

overlay

Storage driver for Buildah, aligned with the cluster node configuration.

BUILD_EXTRA_ARGS

string

Empty

Additional flags for the Buildah build command.

PUSH_EXTRA_ARGS

string

Empty

Additional flags for the Buildah push command.

SKIP_PUSH

string

false

If set to true, the image is not pushed to the registry.

7.3.3. Results
링크 복사

Expand
NameDescription

IMAGE_URL

Fully qualified name of the built image.

IMAGE_DIGEST

SHA256 digest of the built image.

7.4. Running the buildah-ns task
링크 복사

You can run the buildah-ns task as part of a PipelineRun resource. 

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata: {}
spec:
  pipelineRef:
    name: task-buildah-ns
  params:
    - name: IMAGE
      value: your-image-name
1 

    - name: TLS_VERIFY
      value: true
    - name: VERBOSE
      value: false
  workspaces:
    - name: source
      persistentVolumeClaim:
        claimName: your-pvc-name
2
Copy to Clipboard Toggle word wrap
1
Replace your-image-name with the full name of the container image that you want to build.
2
Replace your-pvc-name with the name of the PersistentVolumeClaim (PVC) that stores the application source code.
Note

If the target container registry requires authentication, configure a Kubernetes secret for registry access and link it to the service account that runs the TaskRun or PipelineRun resources.

Additional resources

Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동