-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
Verify support for Support OpenShift sandboxed containers (kata)
-
False
-
False
-
Done
-
SECFLOWOTL-55 - Enhance outerloop security
-
0% To Do, 0% In Progress, 100% Done
-
Undefined
-
Goal
As a developer, I want my pipeline to run in lightweight virtual machines (kata containers) provided by OpenShift Sandbox so that I can run privileged tasks in a pipeline without running them as privileged pods and violating our security requirements.
OpenShift Sandbox gets installed on the cluster through an operator and enables the kata runtime as an alternative to cri-o, which would use KVM to spin up lightweight virtual machines instead of pods, for running the containers.
apiVersion: v1 kind: Pod metadata: name: mypod spec: runtimeClassName: kata
Problem
Execution of image builds and other tasks in Tekton require privileged pods while many customers do not allow privileged pods on their clusters due to their security constraints.
Acceptance Criteria
- Admin can configure all pipelines on the cluster to use OpenShift Sandbox as the default runtime
- Developer can configure a pipeline to use OpenShift Sandbox as the runtime
- Developer can configure a task to use OpenShift Sandbox as the runtime
Estimation
L
- links to