Details
-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
Dev Preview - User Namespace Builds
-
False
-
None
-
False
-
To Do
-
OCPPLAN-4518 - Builds with reduced privileges
-
10
-
10%
-
Description
OCP/Telco Definition of Done
Epic Template descriptions and documentation.
<--- Cut-n-Paste the entire contents of this description into your new Epic --->
Epic Goal
- Run OpenShift builds that do not execute as the "root" user on the host node.
Why is this important?
- OpenShift builds require an elevated set of capabilities to build a container image
- Builds currently run as root to maintain adequate performance
- Container workloads should run as non-root from the host's perspective. Containers running as root are a known security risk.
- Builds currently run as root and require a privileged container. See BUILD-225 for removing the privileged container requirement.
Scenarios
- Run BuildConfigs in a multi-tenant environment
- Run BuildConfigs in a heightened security environment/deployment
Acceptance Criteria
- Developers can opt into running builds in a cri-o user namespace by providing an environment variable with a specific value.
- When the correct environment variable is provided, builds run in a cri-o user namespace, and the build pod does not require the "privileged: true" security context.
- User namespace builds can pass basic test scenarios for the Docker and Source strategy build.
- Steps to run unprivileged builds are documented.
Dependencies (internal and external)
- Buildah supports running inside a non-privileged container
- CRI-O allows workloads to opt into running containers in user namespaces.
Previous Work (Optional):
- BUILD-225 - remove privileged requirement for builds.
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
Attachments
Issue Links
- blocks
-
BUILD-141 Tech Preview - User Namespace Builds
-
- Closed
-
-
RHDEVDOCS-4783 Publish "Unprivileged OpenShift Builds (Developer Preview)" article
-
- Closed
-
- is depended on by
-
BUILD-141 Tech Preview - User Namespace Builds
-
- Closed
-
- is documented by
-
RHDEVDOCS-3923 Dev Preview - Unprivileged OCP Builds
-
- Reopened
-
- is related to
-
BUILD-216 Rootless Buildah Strategy Builds
-
- To Do
-
- links to
(1 links to)
1.
|
QE Tracker |
|
Closed | |
Jitendar Singh |
2.
|
Docs Tracker |
|
Closed | |
Rolfe Dlugy-Hegwer |
3.
|
PX Tracker |
|
Closed | |
Rick Wagner |
4.
|
TE Tracker |
|
Closed | |
Rick Wagner |