Enable read only rootfs config for the build containers

hasanawad94 · hasanawad94 · commit 04f65802eff8 · 2025-10-22T11:54:50.000+03:00
Sets `ReadOnlyRootFilesystem` to true for Git,Bundle,Image-procesing,Waiter containers.
Sets the waiter container's lock file path to the generated temporary volume to prevent it from using its own filesystem.

Signed-off-by: Hasan Awad &lt;hasan.m.awad94@gmail.com&gt;
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -24,7 +24,7 @@ The following environment variables are available:
 | `BUNDLE_CONTAINER_IMAGE`                         | Custom container image that pulls a bundle image to obtain the packaged source code. If `BUNDLE_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `BUNDLE_IMAGE_CONTAINER_IMAGE` has precedence.                                                                                                                                                                                                                                                                                                                                                 |
 | `IMAGE_PROCESSING_CONTAINER_TEMPLATE`            | JSON representation of a [Container](https://pkg.go.dev/k8s.io/api/core/v1#Container) template that is used for steps that processes the image. Default is `{"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
 | `IMAGE_PROCESSING_CONTAINER_IMAGE`               | Custom container image that is used for steps that processes the image. If `IMAGE_PROCESSING_CONTAINER_TEMPLATE` is also specifying an image, then the value for `IMAGE_PROCESSING_CONTAINER_IMAGE` has precedence.                                                                                                                                                                                                                                                                                                                                                      |
-| `WAITER_CONTAINER_TEMPLATE`                      | JSON representation of a [Container] template that waits for local source code to be uploaded to it. Default is `{"image":"ghcr.io/shipwright-io/build/waiter:latest", "command": ["/ko-app/waiter"], "args": ["start"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`. The following properties are ignored as they are set by the controller: `args`, `name`.                                                                      |
+| `WAITER_CONTAINER_TEMPLATE`                      | JSON representation of a [Container] template that waits for local source code to be uploaded to it. Default is `{"image":"ghcr.io/shipwright-io/build/waiter:latest", "command": ["/ko-app/waiter"], "args": ["start","--lock-file=/shp-tmp/waiter.lock"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`. The following properties are ignored as they are set by the controller: `args`, `name`.                                                                      |
 | `WAITER_CONTAINER_IMAGE`                         | Custom container image that waits for local source code to be uploaded to it. If `WAITER_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `WAITER_IMAGE_CONTAINER_IMAGE` has precedence.                                                                                                                                                                                                                                                                                                                                                        |
 | `BUILD_CONTROLLER_LEADER_ELECTION_NAMESPACE`     | Set the namespace to be used to store the `shipwright-build-controller` lock, by default it is in the same namespace as the controller itself.                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `BUILD_CONTROLLER_LEASE_DURATION`                | Override the `LeaseDuration`, which is the duration that non-leader candidates will wait to force acquire leadership.                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -187,8 +187,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
@@ -215,8 +216,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
@@ -241,6 +243,7 @@ func NewDefaultConfig() *Config {
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsUser:                root,
 				RunAsGroup:               root,
+				ReadOnlyRootFilesystem:   ptr.To(true),
 				Capabilities: &corev1.Capabilities{
 					Add: []corev1.Capability{
 						"DAC_OVERRIDE",
@@ -259,6 +262,7 @@ func NewDefaultConfig() *Config {
 			},
 			Args: []string{
 				"start",
+				"--lock-file=/shp-tmp/waiter.lock", // Sets lock file path to the generated tmp volume to prevent it from using its own filesystem.
 			},
 			// This directory is created in the base image as writable for everybody
 			Env: []corev1.EnvVar{
@@ -274,8 +278,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -142,8 +142,9 @@ var _ = Describe("Config", func() {
 								"ALL",
 							},
 						},
-						RunAsUser:  nonRoot,
-						RunAsGroup: nonRoot,
+						RunAsUser:              nonRoot,
+						RunAsGroup:             nonRoot,
+						ReadOnlyRootFilesystem: ptr.To(true),
 					},
 				}))
 			})
@@ -234,7 +235,7 @@ var _ = Describe("Config", func() {
 				Expect(config.WaiterContainerTemplate).To(Equal(Step{
 					Image:   "myregistry/custom/image",
 					Command: []string{"/ko-app/waiter"},
-					Args:    []string{"start"},
+					Args:    []string{"start", "--lock-file=/shp-tmp/waiter.lock"},
 					Env:     []corev1.EnvVar{{Name: "HOME", Value: "/shared-home"}},
 					SecurityContext: &corev1.SecurityContext{
 						AllowPrivilegeEscalation: ptr.To(false),
@@ -243,8 +244,9 @@ var _ = Describe("Config", func() {
 								"ALL",
 							},
 						},
-						RunAsUser:  nonRoot,
-						RunAsGroup: nonRoot,
+						RunAsUser:              nonRoot,
+						RunAsGroup:             nonRoot,
+						ReadOnlyRootFilesystem: ptr.To(true),
 					},
 				}))
 			})
diff --git a/pkg/reconciler/buildrun/resources/sources/local_copy_test.go b/pkg/reconciler/buildrun/resources/sources/local_copy_test.go
@@ -32,7 +32,7 @@ var _ = Describe("LocalCopy", func() {
 			Expect(len(taskSpec.Steps)).To(Equal(1))
 			Expect(taskSpec.Steps[0].Name).To(Equal(sources.WaiterContainerName))
 			Expect(taskSpec.Steps[0].Image).To(Equal(cfg.WaiterContainerTemplate.Image))
-			Expect(taskSpec.Steps[0].Args).To(Equal([]string{"start", "--timeout=1m0s"}))
+			Expect(taskSpec.Steps[0].Args).To(Equal([]string{"start", "--lock-file=/shp-tmp/waiter.lock", "--timeout=1m0s"}))
 		})
 	})
 })
