Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-1352

Verify support for OpenShift sandboxed containers (kata)

XMLWordPrintable

    • Verify support for Support OpenShift sandboxed containers (kata)
    • False
    • False
    • Done
    • SECFLOWOTL-55 - Enhance outerloop security
    • 0% To Do, 0% In Progress, 100% Done
    • Undefined

      Goal

      As a developer, I want my pipeline to run in lightweight virtual machines (kata containers) provided by OpenShift Sandbox so that I can run privileged tasks in a pipeline without running them as privileged pods and violating our security requirements.

      OpenShift Sandbox gets installed on the cluster through an operator and enables the kata runtime as an alternative to cri-o, which would use KVM to spin up lightweight virtual machines instead of pods, for running the containers. 

      apiVersion: v1
kind: Pod
metadata: 
  name: mypod
spec: 
  runtimeClassName: kata

      Problem

      Execution of image builds and other tasks in Tekton require privileged pods while many customers do not allow privileged pods on their clusters due to their security constraints.

      Acceptance Criteria

      • Admin can configure all pipelines on the cluster to use OpenShift Sandbox as the default runtime
      • Developer can configure a pipeline to use OpenShift Sandbox as the runtime
      • Developer can configure a task to use OpenShift Sandbox as the runtime

      Estimation

      L

            Unassigned Unassigned
            ssadeghi@redhat.com Siamak Sadeghianfar
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: