Incorrect permission set for /workspace
#1301
Comments
|
afaik I think As a comparison, I just tried this out using |
|
@chenbh I believe the issue is about the output images rather than the build process. The workspace is currently world writable which breaks workspace immutability during runtime when built layers are put atop the run image. Ideally it should only be writable by the build user. kpack used to produce images that were not world writable but this changed recently. There is also a buildpacks rfc to support this behavior as not being able to do this leads to security issues. Details are at https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md |
|
Related buildpacks/community#229 |
|
Hello, wondering if there are any updates on this? Seems that it was decided that these permissions would be determined by each platform (buildpacks/lifecycle#1350). And seems that pack made the decision to make this directory writable, was this something also decided for kpack? Could this be configurable instead? Maybe a |
|
Related #1016 |
|
We were able to patch this internally using a pod mutator that runs at the beginning of the build and chmods and chowns the volume correctly. It would be great to see this being fixed in kpack or alternatively lifecycle. |
tldr;
/workspaceshould be read-only, but somehow it's writeable in some cases.We've been using kpack on our internal platform to build images for our clients. Recently we found that users were able to write to the
/workspacewhich caused some unexpected issues. We believe that it's caused by a regression bug from kpack.We will be working on identifying the issue and post a minimal reproducible example in the coming weeks.
The text was updated successfully, but these errors were encountered: