Skip to content

Cherry-pick "Ensure pullrequest-init is based on a root image" #3056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
1 commit merged into from Aug 4, 2020
Merged

Cherry-pick "Ensure pullrequest-init is based on a root image" #3056

1 commit merged into from Aug 4, 2020

Conversation

@ghost
Copy link

@ghost ghost commented Aug 4, 2020

Changes

This is a cherry-pick of #3055
and is only here to have integration run against it.

The PullRequest Resource, when used as an output, is able to
read in a pr.json to determine if there have been any changes
that require syncing to github. pr.json may have been written
by any prior Step with any ownership settings. If pr.json
was written with root permissions then the PullRequest Resource
needs to be have permissions to read that file.

The PullRequest Resource image has been based on a nonroot
image in our .ko.yaml since 0.13 of Tekton Pipelines (.ko.yaml was
updated here).

However, the published images did not match the configuration in the
.ko.yaml until 0.15.0 (our tekton/publish.yaml was brought into line
with .ko.yaml here).

Given that copying or writing pr.json in a Step can result in the file
being owned by root using a nonroot image is not a suitable choice
of base image - the output PullRequest attempts to open pr.json and
hits a permissions error.

This commit updates the PullRequest image to be based on
distroless static instead of nonroot and adds an example yaml
file that should exercise the behaviour of copying the file from
an input to output pullrequest resource.

NONE

Ensure pullrequest-init is based on a root image
6d12d1e 
The PullRequest Resource, when used as an output, is able to
read in a pr.json to determine if there have been any changes
that require syncing to github. pr.json may have been written
by any prior Step with any ownership settings. If pr.json
was written with root permissions then the PullRequest Resource
needs to be have permissions to read that file.

The PullRequest Resource image has been based on a nonroot
image in our `.ko.yaml` since 0.13 of Tekton Pipelines ([`.ko.yaml` was
updated here](#2606)).

However, the published images did not match the configuration in the
`.ko.yaml` until 0.15.0 ([our `tekton/publish.yaml` was brought into line
with `.ko.yaml` here](#3018)).

Given that copying or writing pr.json in a Step can result in the file
being owned by root using a nonroot image is not a suitable choice
of base image - the output PullRequest attempts to open pr.json and
hits a permissions error.

This commit updates the PullRequest image to be based on
distroless static instead of nonroot and adds an example yaml
file that should exercise the behaviour of copying the file from
an input to output pullrequest resource.
@ghost ghost added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 4, 2020
@ghost ghost added this to the Pipelines v0.15 milestone Aug 4, 2020
@ghost ghost self-assigned this Aug 4, 2020
@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Aug 4, 2020
@tekton-robot
Copy link
Collaborator

tekton-robot commented Aug 4, 2020

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign sbwsg
You can assign the PR to them by writing /assign @sbwsg in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot requested review from dibyom and imjasonh August 4, 2020 18:45
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 4, 2020
@ghost ghost removed request for dibyom and imjasonh August 4, 2020 18:47
@ghost ghost merged commit 6d12d1e into tektoncd:release-v0.15.x Aug 4, 2020
@ghost ghost deleted the release-v0.15.x-base-pullrequest-init-on-root-image branch August 4, 2020 20:09
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

Pipelines v0.15

Development

Successfully merging this pull request may close these issues.

1 participant

@tekton-robot