Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 12. Using buildah-ns Tekton task
The buildah-ns Tekton task builds Open Container Initiative (OCI) images without requiring a container runtime daemon, such as the Docker daemon. The task uses buildah and applies user namespace isolation to provide enhanced security.
After a successful build, the task produces the following results:
- The fully qualified image name
- The SHA256 digest of the image
The buildah-ns task is functionally the same as the standard buildah Tekton task, but applies additional security mechanisms to improve container isolation at the kernel level.
12.1. Differences between buildah and buildah-ns tasks
The buildah-ns task extends the standard buildah task with the following security-focused changes:
-
Task name: The task name is
buildah-nsinstead ofbuildah. Annotations: The task includes security annotations that enable automatic user namespace mapping:
io.kubernetes.cri-o.userns-mode: "auto" io.openshift.builder: "true"- Security model: User namespace separation improves privilege isolation. This limits the impact of container escape vulnerabilities.
12.2. Security model of the buildah-ns task
The buildah-ns task uses user namespace isolation to separate privileges between containers and the host system.
When the task runs with namespace annotations, the system maps user IDs (UIDs) as follows:
- Inside the container: Processes run as UID 0, which is displayed as the root user.
- Outside the container: The same processes run as a nonzero UID on the host system.
This mapping lets container processes behave as root while restricting their host-level privileges.
User namespace isolation provides the following security advantages:
- kernel-level isolation: Adds an extra isolation boundary between containers.
- Reduced privilege exposure: Limits the impact of compromised workloads by running them as non-root users on the host.
- Container escape protection: Helps mitigate potential vulnerabilities that allow escaping from the container runtime environment.
12.3. Workspaces, parameters, and results for the buildah-ns task
The buildah-ns task requires a workspace and accepts several parameters to customize image builds. The task results contain information about the built image.
12.3.1. Workspace
| Name | Required | Description |
|---|---|---|
| source | Yes |
The build context for the container image. Typically has application source code and a |
12.3.2. Parameters
| Name | Type | Default | Description |
|---|---|---|---|
|
| string | Required | Fully qualified name of the image to build, including tag. |
| CONTAINERFILE_PATH | string | Containerfile | Path to the container build file relative to the source workspace. |
| TLS_VERIFY | string | true |
Verify TLS when pushing images. Red Hat recommends |
| VERBOSE | string | false | Enables verbose build output. |
| SUBDIRECTORY | string | . | Subdirectory in the workspace to use as the build context. |
| STORAGE_DRIVER | string | overlay | Storage driver for Buildah. Align with the cluster node configuration. |
| BUILD_EXTRA_ARGS | string | Empty |
Additional flags for the |
| PUSH_EXTRA_ARGS | string | Empty |
Additional flags for the |
| SKIP_PUSH | string | false |
Set to |
12.3.3. Results
| Name | Description |
|---|---|
| IMAGE_URL | Fully qualified name of the built image. |
| IMAGE_DIGEST | SHA256 digest of the built image. |
12.4. Running the buildah-ns task
You can run the buildah-ns task as part of a PipelineRun resource.
Procedure
Create a YAML file that defines
PipelineRunobject:Example
pipeline-run.yamlfileapiVersion: tekton.dev/v1 kind: PipelineRun metadata: {} spec: pipelineRef: name: task-buildah-ns params: - name: IMAGE value: your-image-name - name: TLS_VERIFY value: true - name: VERBOSE value: false workspaces: - name: source persistentVolumeClaim: claimName: your-pvc-namevalue-
Replace
your-image-namewith the full name of the container image that you want to build. claimNameReplace
your-pvc-namewith the name of thePersistentVolumeClaim(PVC) that stores the application source code.NoteIf the target container registry requires authentication, configure a Kubernetes secret for registry access and link it to the service account that runs the
TaskRunorPipelineRunresources.
Create the
PipelineRunresource by applying the YAML file:$ oc apply -f pipeline-run.yaml
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}