Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2385

ClusterTasks are run as root


    • 1
    • False
    • None
    • False
    • Pipelines Sprint 222, Pipelines Sprint 223

      Even though the ClusterTasks use `pipelines-scc` (which is very close to anyuid) via pipeline SA, there is no guarantee that the TaskRuns will not be run as root unless a USER is defined in the relevant Dockerfiles.

      This is explained in detail by cboudjna@redhat.com at https://blog.chmouel.com/2022/01/25/user-namespaces-with-buildah-and-openshift-pipelines/ and https://blog.chmouel.com/2022/03/07/running-tasks-as-non-root-on-openshift-pipelines/

      One side effect of this SCC is that any images running on Openshift Cluster, unless the container image has a "USER $user" in its dockerfile will run as root. So even standard tasks like the "git-clone" tasks end up checking out code as root when it really doesn't need to.

      This needs to be fixed in 2 ways:

            concaf Shubham Minglani
            concaf Shubham Minglani
            0 Vote for this issue
            2 Start watching this issue