-
Epic
-
Resolution: Won't Do
-
Minor
-
None
-
None
-
Dev Preview - User Namespace Builds
-
False
-
-
False
-
Done
-
0% To Do, 0% In Progress, 100% Done
-
OCP/Telco Definition of Done
Epic Template descriptions and documentation.
<--- Cut-n-Paste the entire contents of this description into your new Epic --->
Epic Goal
- Run OpenShift builds that do not execute as the "root" user on the host node.
Why is this important?
- OpenShift builds require an elevated set of capabilities to build a container image
- Builds currently run as root to maintain adequate performance
- Container workloads should run as non-root from the host's perspective. Containers running as root are a known security risk.
- Builds currently run as root and require a privileged container. See
BUILD-225for removing the privileged container requirement.
Scenarios
- Run BuildConfigs in a multi-tenant environment
- Run BuildConfigs in a heightened security environment/deployment
Acceptance Criteria
- Developers can opt into running builds in a cri-o user namespace by providing an environment variable with a specific value.
- When the correct environment variable is provided, builds run in a cri-o user namespace, and the build pod does not require the "privileged: true" security context.
- User namespace builds can pass basic test scenarios for the Docker and Source strategy build.
- Steps to run unprivileged builds are documented.
Dependencies (internal and external)
- Buildah supports running inside a non-privileged container
- CRI-O allows workloads to opt into running containers in user namespaces.
Previous Work (Optional):
BUILD-225- remove privileged requirement for builds.
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- blocks
-
OCPBUILD-50 Tech Preview - User Namespace Builds
- Closed
-
RHDEVDOCS-4783 Publish "Unprivileged OpenShift Builds (Developer Preview)" article
- Closed
- is depended on by
-
OCPBUILD-50 Tech Preview - User Namespace Builds
- Closed
- is documented by
-
RHDEVDOCS-3923 Dev Preview - Unprivileged OCP Builds
- Closed
- is related to
-
BUILD-216 Rootless Buildah Strategy Builds
- Closed
- links to
(1 links to)
1.
|
QE Tracker | Closed | Jitendar Singh | ||
2.
|
Docs Tracker | Closed | Rolfe Dlugy-Hegwer | ||
3.
|
PX Tracker | Closed | Rick Wagner | ||
4.
|
TE Tracker | Closed | Rick Wagner |