Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2582

Use Kubernetes user namespaces for buildah pods

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • Tekton Ecosystem
    • None
    • Use Kubernetes user namespaces for buildah pods
    • False
    • None
    • False
    • OCPSTRAT-198Secure-by-default image builds
    • To Do
    • OCPSTRAT-198 - Secure-by-default image builds
    • 100% To Do, 0% In Progress, 0% Done

      Epic Goal

      OpenShift Pipelines uses Kubernetes user namespace instead of CRI-O user namespace in order to run buildah pods in the user namespaces

      Why is this important?

      To enable any authenticated user on OpenShift to run image builds through OpenShift Pipelines without requiring additional privileges for buildah pods that are not available to all authenticated users and all pods.

      Acceptance Criteria

      • Buildah pods in Pipelines (e.g. Buildah and S2I Tasks) run in the user namespace using the Kubernetes user namespaces
      • Buildah pods in Pipelines can run with the default service account and the user-namespace-aware equivalent of "restricted" SCC
      • Image builds with buildah functions without pipeline service account and pipeline-scc

              Unassigned Unassigned
              rh-ee-ssadeghi Siamak Sadeghianfar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: