Skip to content

Commit 078f081

Browse files
vdemeestertekton-robot
vdemeester
authored and
tekton-robot
committed
Run tekton containers as nonroot 🐰
This changes a slew of containers that Tekton runs to use non-root base images. Signed-off-by: Vincent Demeester <[email protected]>
1 parent f8a61ef commit 078f081

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

.ko.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,14 @@
1+
defaultBaseImage: gcr.io/distroless/static:nonroot
12
baseImageOverrides:
3+
# These base images run as root, which is needed for how they handle SSH credentials.
4+
# They are produced from ./images/Dockerfile
25
github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
36
github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
4-
github.com/tektoncd/pipeline/cmd/entrypoint: busybox # image must have `cp` in $PATH
7+
# GCS fetcher needs root due to workspace permissions
8+
github.com/tektoncd/pipeline/vendor/github.com/GoogleCloudPlatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher: gcr.io/distroless/static:latest
9+
10+
# Our entrypoint image does not need root, it simply needs to be able to 'cp' the binary into a shared location.
11+
github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot
512
baseBuildOverrides:
613
github.com/tektoncd/pipeline/cmd/controller:
714
flags:

config/controller.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,10 @@ spec:
6868

6969
# These images are pulled from Dockerhub, by digest, as of April 15, 2020.
7070
"-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b",
71-
"-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6",
7271
"-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e",
72+
# The shell image must be root in order to create directories and copy files to PVCs.
73+
# As of April 17, 2020
74+
"-shell-image", "gcr.io/distroless/base:debug@sha256:dac57423f6d9210198e1ac25de9f6d48753196a112aa2deb22f54e984cfd462d",
7375
]
7476
volumeMounts:
7577
- name: config-logging

0 commit comments

Comments
 (0)