Goal

As an admin, I want a simple way to configure the security level with regards to building images in OpenShift Pipelines, so that I can configure the platform in accordance to the security requirements of our organisation.

Buildah requires special permission for building images on OpenShift and as a result, the OpenShift Pipelines performs a series of configurations (pipeline service account, pipeline-scc, etc) in order to enable image builds to work out of the box. These configurations are not desirable for all customers and some would prefer to disable some or all of these configurations that are made for buildah. Nevertheless, discovering and applying these configurations is a daunting task and requires changes in many places including the Task specs and SCC.

The currently supported security levels for building images are:

1. buildah runs as root in a privileged pod: all image builds work
2. buildah runs as root, unprivileged with pipelines-scc (default): majority of image builds work
3. buildah runs as root in the user namespaces with pipelines-scc: most image builds work
4. buildah runs as user build with custom scc run as build: most image builds work
5. No special treatments, sa, or scc: none of image builds work

Acceptance Criteria

• Admin can configure the desired security level for building images in the operator configurations
• Docs exist on available security levels
• Docs recommends customers to update configs to use the more or most secure security level