You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add ReadOnlyRootFilesystem securityContext to build steps
Set the root filesystem to read-only for all build and buildstrategy
containers as a security best practice.
To support this, steps that require write access now explicitly mount
`emptyDir` volumes for paths like `/tmp` `/home`.
A new `AppendWriteableVolumes` function centralizes the setup for volume
mounting , using idempotent helpers (`ensureVolume`, `ensureVolumeMount`)
to prevent duplicate entries.
The writeable home directory for the steps can be configured using
`WRITABLE_HOME_DIR`. Default is value is `/writable-home`
Signed-off-by: Hasan Awad <[email protected]>
Copy file name to clipboardExpand all lines: docs/configuration.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ The following environment variables are available:
22
22
|`GIT_CONTAINER_IMAGE`| Custom container image for Git clone steps. If `GIT_CONTAINER_TEMPLATE` is also specifying an image, then the value for `GIT_CONTAINER_IMAGE` has precedence. |
23
23
|`BUNDLE_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that is used for steps that pulls a bundle image to obtain the packaged source code. Default is `{"image": "ghcr.io/shipwright-io/build/bundle:latest", "command": ["/ko-app/bundle"], "env": [{"name": "HOME","value": "/shared-home"},{"name": "BUNDLE_SHOW_LISTING","value": "false"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`[^1]. The following properties are ignored as they are set by the controller: `args`, `name`. |
24
24
|`BUNDLE_CONTAINER_IMAGE`| Custom container image that pulls a bundle image to obtain the packaged source code. If `BUNDLE_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `BUNDLE_IMAGE_CONTAINER_IMAGE` has precedence. |
25
-
|`IMAGE_PROCESSING_CONTAINER_TEMPLATE`| JSON representation of a [Container](https://pkg.go.dev/k8s.io/api/core/v1#Container) template that is used for steps that processes the image. Default is `{"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
25
+
|`IMAGE_PROCESSING_CONTAINER_TEMPLATE`| JSON representation of a [Container](https://pkg.go.dev/k8s.io/api/core/v1#Container) template that is used for steps that processes the image. Default is `{"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}, {"name": "TRIVY_CACHE_DIR", "value": "/trivy-cache-data/trivy-cache"}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsGroup": 0}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
26
26
|`IMAGE_PROCESSING_CONTAINER_IMAGE`| Custom container image that is used for steps that processes the image. If `IMAGE_PROCESSING_CONTAINER_TEMPLATE` is also specifying an image, then the value for `IMAGE_PROCESSING_CONTAINER_IMAGE` has precedence. |
27
27
|`WAITER_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that waits for local source code to be uploaded to it. Default is `{"image":"ghcr.io/shipwright-io/build/waiter:latest", "command": ["/ko-app/waiter"], "args": ["start"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
28
28
|`WAITER_CONTAINER_IMAGE`| Custom container image that waits for local source code to be uploaded to it. If `WAITER_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `WAITER_IMAGE_CONTAINER_IMAGE` has precedence. |
@@ -37,6 +37,7 @@ The following environment variables are available:
37
37
|`KUBE_API_BURST`| Burst to use for the Kubernetes API client. See [Config.Burst]. A value of 0 or lower will use the default from client-go, which currently is 10. Default is 0. |
38
38
|`KUBE_API_QPS`| QPS to use for the Kubernetes API client. See [Config.QPS]. A value of 0 or lower will use the default from client-go, which currently is 5. Default is 0. |
39
39
|`VULNERABILITY_COUNT_LIMIT`| holds vulnerability count limit if vulnerability scan is enabled for the output image. If it is defined as 10, then it will output only 10 vulnerabilities sorted by severity in the buildrun status.Output. Default is 50. |
40
+
|`WRITABLE_HOME_DIR`| Specifies the mount path for writable home directories in build containers. Each container gets its own isolated emptyDir volume mounted at this path, enabling write operations when `readOnlyRootFilesystem: true` is used. Default is `/writable-home`. |
40
41
41
42
[^1]: The `runAsUser` and `runAsGroup` are dynamically overwritten depending on the build strategy that is used. See [Security Contexts](buildstrategies.md#security-contexts) for more information.
0 commit comments