Remove result initcontainer

This will remove the initcontainer which is
added for making the results folder writables

If it is rn as non-root then this init-containers
errors out on every run as the chmod command is
not allowed to execute

Further there is no need to make the empty-dir
volume writable

Currently tektoncd/pipeline fails on environment
where pod is run as non-root

This will fix that

Fix #2172

Author: piyush-garg

docs/developers/README.md

@@ -283,7 +283,6 @@ Instead of hardcoding the path to the result file, the user can also use a varia
 
 ### Known issues
 
-- When using a podTemplate to specify a non-root user for all containers, a task will not be able to modify the contents of the results directory and may fail.
 - Task Results are returned to the TaskRun controller via the container's
 termination log. At time of writing this has a capped maximum size of ["2048 bytes or 80 lines, whichever is smaller"](https://kubernetes.io/docs/tasks/debug-application-cluster/determine-reason-pod-failure/#customizing-the-termination-message).
 

pkg/pod/pod.go

@@ -103,11 +103,6 @@ func MakePod(images pipeline.Images, taskRun *v1alpha1.TaskRun, taskSpec v1alpha
 		volumes = append(volumes, secretsVolumes...)
 	}
 
-	// make tekton results folder writable by any user
-	if makeTektonFolderWritableInit := makeTektonResultsFolderWritable(images.ShellImage, implicitVolumeMounts); makeTektonFolderWritableInit != nil {
-		initContainers = append(initContainers, *makeTektonFolderWritableInit)
-	}
-
 	// Merge step template with steps.
 	// TODO(#1605): Move MergeSteps to pkg/pod
 	steps, err := v1alpha1.MergeStepsWithStepTemplate(taskSpec.StepTemplate, taskSpec.Steps)

pkg/pod/pod_test.go

@@ -65,14 +65,6 @@ func TestMakePod(t *testing.T) {
 		VolumeMounts: []corev1.VolumeMount{toolsMount},
 	}
 
-	resultsInit := corev1.Container{
-		Name:         "tekton-results-folder-writable",
-		Image:        images.ShellImage,
-		Command:      []string{"sh"},
-		Args:         []string{"-c", "chmod 777 /tekton/results"},
-		VolumeMounts: implicitVolumeMounts,
-	}
-
 	runtimeClassName := "gvisor"
 	automountServiceAccountToken := false
 	dnsPolicy := corev1.DNSNone
@@ -96,7 +88,7 @@ func TestMakePod(t *testing.T) {
 		}},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-name",
 				Image:   "image",
@@ -149,7 +141,6 @@ func TestMakePod(t *testing.T) {
 				VolumeMounts: append(implicitVolumeMounts, secretsVolumeMount),
 				Env:          implicitEnvVars,
 			},
-				resultsInit,
 				placeToolsInit,
 			},
 			Containers: []corev1.Container{{
@@ -205,7 +196,7 @@ func TestMakePod(t *testing.T) {
 		},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-name",
 				Image:   "image",
@@ -255,7 +246,7 @@ func TestMakePod(t *testing.T) {
 		}},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-a-very-very-long-character-step-name-to-trigger-max-len", // step name trimmed.
 				Image:   "image",
@@ -291,7 +282,7 @@ func TestMakePod(t *testing.T) {
 		}},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-ends-with-invalid", // invalid suffix removed.
 				Image:   "image",
@@ -329,7 +320,6 @@ func TestMakePod(t *testing.T) {
 		want: &corev1.PodSpec{
 			RestartPolicy: corev1.RestartPolicyNever,
 			InitContainers: []corev1.Container{
-				resultsInit,
 				{
 					Name:         "working-dir-initializer",
 					Image:        images.ShellImage,
@@ -382,7 +372,7 @@ func TestMakePod(t *testing.T) {
 		wantAnnotations: map[string]string{},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-primary-name",
 				Image:   "primary-image",
@@ -433,7 +423,6 @@ func TestMakePod(t *testing.T) {
 		want: &corev1.PodSpec{
 			RestartPolicy: corev1.RestartPolicyNever,
 			InitContainers: []corev1.Container{
-				resultsInit,
 				{
 					Name:         "place-scripts",
 					Image:        "busybox",
@@ -507,7 +496,7 @@ sidecar-script-heredoc-randomly-generated-mz4c7
 		}},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			Containers: []corev1.Container{{
 				Name:    "step-unnamed-0",
 				Image:   "image",
@@ -596,7 +585,7 @@ print("Hello from Python")`,
 		want: &corev1.PodSpec{
 			RestartPolicy: corev1.RestartPolicyNever,
 			InitContainers: []corev1.Container{
-				resultsInit, {
+				{
 					Name:    "place-scripts",
 					Image:   images.ShellImage,
 					Command: []string{"sh"},
@@ -715,7 +704,7 @@ script-heredoc-randomly-generated-78c5n
 		},
 		want: &corev1.PodSpec{
 			RestartPolicy:  corev1.RestartPolicyNever,
-			InitContainers: []corev1.Container{resultsInit, placeToolsInit},
+			InitContainers: []corev1.Container{placeToolsInit},
 			SchedulerName:  "there-scheduler",
 			Volumes:        append(implicitVolumes, toolsVolume, downwardVolume),
 			Containers: []corev1.Container{{

pkg/pod/tekton_folder_writable.go

@@ -243,18 +243,6 @@ var (
 		actualOps = append(actualOps, ops...)
 		return tb.PodInitContainer("place-tools", "override-with-entrypoint:latest", actualOps...)
 	}
-
-	getResultsInitContainer = func(ops ...tb.ContainerOp) tb.PodSpecOp {
-		actualOps := []tb.ContainerOp{
-			tb.Command("sh"),
-			tb.VolumeMount("tekton-internal-workspace", "/workspace"),
-			tb.VolumeMount("tekton-internal-home", "/tekton/home"),
-			tb.VolumeMount("tekton-internal-results", "/tekton/results"),
-			tb.Args("-c", "chmod 777 /tekton/results"),
-		}
-		actualOps = append(actualOps, ops...)
-		return tb.PodInitContainer("tekton-results-folder-writable", "busybox", actualOps...)
-	}
 )
 
 func getRunName(tr *v1alpha1.TaskRun) string {
@@ -319,7 +307,6 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) {
 				tb.PodServiceAccountName(defaultSAName),
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-simple-step", "foo",
 					tb.Command(entrypointLocation),
@@ -359,7 +346,6 @@ func TestReconcile_ExplicitDefaultSA(t *testing.T) {
 				tb.PodServiceAccountName("test-sa"),
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-sa-step", "foo",
 					tb.Command(entrypointLocation),
@@ -582,7 +568,6 @@ func TestReconcile(t *testing.T) {
 			tb.PodSpec(
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-simple-step", "foo",
 					tb.Command(entrypointLocation),
@@ -622,7 +607,6 @@ func TestReconcile(t *testing.T) {
 				tb.PodServiceAccountName("test-sa"),
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-sa-step", "foo",
 					tb.Command(entrypointLocation),
@@ -673,7 +657,6 @@ func TestReconcile(t *testing.T) {
 					},
 				),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				getMkdirResourceContainer("myimage", "/workspace/output/myimage", "mssqb"),
 				tb.PodContainer("step-git-source-git-resource-mz4c7", "override-with-git:latest",
@@ -743,7 +726,6 @@ func TestReconcile(t *testing.T) {
 			tb.PodSpec(
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-git-source-git-resource-9l9zj", "override-with-git:latest",
 					tb.Command(entrypointLocation),
@@ -801,7 +783,6 @@ func TestReconcile(t *testing.T) {
 			tb.PodSpec(
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-simple-step", "foo",
 					tb.Command(entrypointLocation),
@@ -839,7 +820,6 @@ func TestReconcile(t *testing.T) {
 			tb.PodSpec(
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-git-source-workspace-9l9zj", "override-with-git:latest",
 					tb.Command(entrypointLocation),
@@ -896,7 +876,6 @@ func TestReconcile(t *testing.T) {
 			tb.PodSpec(
 				tb.PodVolumes(workspaceVolume, homeVolume, resultsVolume, toolsVolume, downwardVolume),
 				tb.PodRestartPolicy(corev1.RestartPolicyNever),
-				getResultsInitContainer(),
 				getPlaceToolsInitContainer(),
 				tb.PodContainer("step-simple-step", "foo",
 					tb.Command(entrypointLocation),