XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Tekton Ecosystem
Labels:
None

Epic Name:
Use Kubernetes user namespaces for buildah pods
Blocked:
False
Blocked Reason:
None
Ready:
False
Parent Link:
OCPSTRAT-198Secure-by-default image builds
Epic Status:
To Do
Feature Link:
OCPSTRAT-198 - Secure-by-default image builds
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Epic Goal

OpenShift Pipelines uses Kubernetes user namespace instead of CRI-O user namespace in order to run buildah pods in the user namespaces

Why is this important?

To enable any authenticated user on OpenShift to run image builds through OpenShift Pipelines without requiring additional privileges for buildah pods that are not available to all authenticated users and all pods.

Acceptance Criteria

Buildah pods in Pipelines (e.g. Buildah and S2I Tasks) run in the user namespace using the Kubernetes user namespaces
Buildah pods in Pipelines can run with the default service account and the user-namespace-aware equivalent of "restricted" SCC
Image builds with buildah functions without pipeline service account and pipeline-scc

is blocked by

OCPNODE-1266 User namespaces in stateless + statefull pods alpha in 1.28

Closed

Assignee:: Unassigned

Reporter:: Siamak Sadeghianfar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022/10/20 4:42 PM

Updated:: 2024/01/17 3:43 PM

Details

Description

Epic Goal

Why is this important?

Acceptance Criteria

Attachments

Issue Links

Activity

People

Dates