XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: Pipelines 1.20.0
Affects Version/s: None
Component/s: Tekton Ecosystem
Labels:
- doc-req
- release-notes-req

Epic Name:
Use Kubernetes user namespaces for buildah pods
Story Points:
6
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Parent Link:
OCPSTRAT-198Secure-by-default image builds
Epic Status:
Done
Feature Link:
OCPSTRAT-198 - Secure-by-default image builds
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Release Note Text:

Hide
The new buildah-ns Tekton Task introduces Kubernetes user namespace isolation for Buildah builds.

UID Mapping Behavior:

Inside container → runs as UID 0 (root within the namespace)

Outside container → mapped to a non-zero UID on the host

This mapping creates an additional security boundary by allowing containers to appear as root inside their own namespace while running with reduced privileges on the host. As a result, potential container escape vulnerabilities are mitigated, and overall isolation is improved.

Show
The new buildah-ns Tekton Task introduces Kubernetes user namespace isolation for Buildah builds. UID Mapping Behavior: Inside container → runs as UID 0 (root within the namespace) Outside container → mapped to a non-zero UID on the host This mapping creates an additional security boundary by allowing containers to appear as root inside their own namespace while running with reduced privileges on the host. As a result, potential container escape vulnerabilities are mitigated, and overall isolation is improved.
Release Note Type:
Enhancement
Release Note Status:
Done

Target Version:

Pipelines 1.20.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Epic Goal

OpenShift Pipelines uses Kubernetes user namespace instead of CRI-O user namespace in order to run buildah pods in the user namespaces

Why is this important?

To enable any authenticated user on OpenShift to run image builds through OpenShift Pipelines without requiring additional privileges for buildah pods that are not available to all authenticated users and all pods.

Acceptance Criteria

Buildah pods in Pipelines (e.g. Buildah and S2I Tasks) run in the user namespace using the Kubernetes user namespaces
Buildah pods in Pipelines can run with the default service account and the user-namespace-aware equivalent of "restricted" SCC
Image builds with buildah functions without pipeline service account and pipeline-scc

is blocked by

OCPNODE-1266 User namespaces in stateless + statefull pods alpha in 1.28

Closed

SRVKP-8688 Testing for the epic

Closed

relates to

SRVKP-8839 [release-testing] add new buildah-ns task to release tests

Closed

Assignee:: Abhishek Ghosh

Reporter:: Siamak Sadeghianfar

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022/10/20 4:42 PM

Updated:: 2025/09/25 5:38 AM

Resolved:: 2025/09/12 11:17 AM

Estimated:

Remaining:

Logged:

Not Specified

Details

Description

Epic Goal

Why is this important?

Acceptance Criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Time Tracking

Hide