Run tekton containers as nonroot #2435
Conversation
googlebot
added
the
cla: yes
tekton-robot
added
the
size/XS
|
Hi @mattmoor. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
needs-ok-to-test
|
/ok-to-test |
tekton-robot
added
ok-to-test
tekton-robot
added
size/S
|
I've been playing with nonroot base images, and unfortunately |
|
This seems clearly related: |
|
It looks like the PVCs are created such that only |
|
/retest |
|
This was buried in there: |
|
Hmm, the new line in the |
|
Awesome, this is a From the spf13/viper docs:
🎉 🤦 |
This fixes an issue where import paths with uppercase (github.com/GoogleCloudPlatform 👀) were being canonicalized by Viper to all lowercase and the baseImageOverrides in `.ko.yaml` were failing to properly identify the base image. I hit this in: tektoncd/pipeline#2435 trying to opt some of the GCP images out of `:nonroot`. This also adds some logging to a place where I see a lot of folks have issues with `ko` where we swallow an error. I hit it experimenting with variants on the `ko publish` import path, and added the logging to debug.
* Viper keys are case insensitive. This fixes an issue where import paths with uppercase (github.com/GoogleCloudPlatform 👀) were being canonicalized by Viper to all lowercase and the baseImageOverrides in `.ko.yaml` were failing to properly identify the base image. I hit this in: tektoncd/pipeline#2435 trying to opt some of the GCP images out of `:nonroot`. This also adds some logging to a place where I see a lot of folks have issues with `ko` where we swallow an error. I hit it experimenting with variants on the `ko publish` import path, and added the logging to debug. * Drop the new log statement
|
The ko change has merged. Who do I talk to about upgrading the version used in CI? @bobcatfish @imjasonh @vdemeester @afrittoli |
|
@mattmoor me 😛 |
|
So it should be available on the |
|
/retest |
|
Looks like it hasn't been updated. |
yep it needs tektoncd/plumbing#352 to be in 👼 |
|
/retest |
1 similar comment
|
/retest |
|
So this is good now? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
@afrittoli done, lmk if I did it in the way y'all expect. |
Thank you! |
1 similar comment
Thank you! |
|
@mattmoor I'm not sure how to re-trigger the CLA check, would you mind re-pushing this, it should run then. I removed the "lgtm" for now, else this will hold the tide queue |
|
This might need some changes in the publish.yaml task too |
|
ping @mattmoor |
|
I think I'm almost there on approvals, but as discussed in slack, you should totally feel free to take over this work while I sit in limbo :( |
This changes a slew of containers that Tekton runs to use non-root base images.
I was hoping to use Tekton's CI to verify what blows up from this, but I am now realizing I'm not an org member, so someone is going to need to
/ok-to-testthis.cc @bobcatfish @dlorenc @imjasonh @vdemeester How do I ascend to such prestige? 🙏
Release notes: