You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enable read only rootfs config for the build containers
Sets `ReadOnlyRootFilesystem` to true for Git,Bundle,Image-procesing,Waiter containers.
Sets the waiter container's lock file path to the generated tmp volume,
to prevent it from using its own filesystem.
Signed-off-by: Hasan Awad <[email protected]>
Copy file name to clipboardExpand all lines: docs/configuration.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,13 +18,13 @@ The following environment variables are available:
18
18
|`REMOTE_ARTIFACTS_CONTAINER_IMAGE`| Specify the container image used for the `.spec.sources` remote artifacts download, by default it uses `quay.io/quay/busybox:latest`. |
19
19
|`TERMINATION_LOG_PATH`| Path of the termination log. This is where controller application will write the reason of its termination. Default value is `/dev/termination-log`. |
20
20
|`GIT_ENABLE_REWRITE_RULE`| Enable Git wrapper to setup a URL `insteadOf` Git config rewrite rule for the respective source URL hostname. Default is `false`. |
21
-
|`GIT_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that is used for steps that clone a Git repository. Default is `{"image": "ghcr.io/shipwright-io/build/git:latest", "command": ["/ko-app/git"], "env": [{"name": "HOME", "value": "/shared-home"},{"name": "GIT_SHOW_LISTING", "value": "false"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser": 1000,"runAsGroup": 1000}}`[^1]. The following properties are ignored as they are set by the controller: `args`, `name`. |
21
+
|`GIT_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that is used for steps that clone a Git repository. Default is `{"image": "ghcr.io/shipwright-io/build/git:latest", "command": ["/ko-app/git"], "env": [{"name": "HOME", "value": "/shared-home"},{"name": "GIT_SHOW_LISTING", "value": "false"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser": 1000,"runAsGroup": 1000}, readOnlyRootFilesystem: true}`[^1]. The following properties are ignored as they are set by the controller: `args`, `name`. |
22
22
|`GIT_CONTAINER_IMAGE`| Custom container image for Git clone steps. If `GIT_CONTAINER_TEMPLATE` is also specifying an image, then the value for `GIT_CONTAINER_IMAGE` has precedence. |
23
-
|`BUNDLE_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that is used for steps that pulls a bundle image to obtain the packaged source code. Default is `{"image": "ghcr.io/shipwright-io/build/bundle:latest", "command": ["/ko-app/bundle"], "env": [{"name": "HOME","value": "/shared-home"},{"name": "BUNDLE_SHOW_LISTING","value": "false"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`[^1]. The following properties are ignored as they are set by the controller: `args`, `name`. |
23
+
|`BUNDLE_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that is used for steps that pulls a bundle image to obtain the packaged source code. Default is `{"image": "ghcr.io/shipwright-io/build/bundle:latest", "command": ["/ko-app/bundle"], "env": [{"name": "HOME","value": "/shared-home"},{"name": "BUNDLE_SHOW_LISTING","value": "false"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}, readOnlyRootFilesystem: true}`[^1]. The following properties are ignored as they are set by the controller: `args`, `name`. |
24
24
|`BUNDLE_CONTAINER_IMAGE`| Custom container image that pulls a bundle image to obtain the packaged source code. If `BUNDLE_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `BUNDLE_IMAGE_CONTAINER_IMAGE` has precedence. |
25
-
|`IMAGE_PROCESSING_CONTAINER_TEMPLATE`| JSON representation of a [Container](https://pkg.go.dev/k8s.io/api/core/v1#Container) template that is used for steps that processes the image. Default is `{"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
25
+
|`IMAGE_PROCESSING_CONTAINER_TEMPLATE`| JSON representation of a [Container](https://pkg.go.dev/k8s.io/api/core/v1#Container) template that is used for steps that processes the image. Default is `{"image": "ghcr.io/shipwright-io/build/image-processing:latest", "command": ["/ko-app/image-processing"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"add": ["DAC_OVERRIDE"], "drop": ["ALL"]}, "runAsUser": 0, "runAsgGroup": 0}, readOnlyRootFilesystem: true}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
26
26
|`IMAGE_PROCESSING_CONTAINER_IMAGE`| Custom container image that is used for steps that processes the image. If `IMAGE_PROCESSING_CONTAINER_TEMPLATE` is also specifying an image, then the value for `IMAGE_PROCESSING_CONTAINER_IMAGE` has precedence. |
27
-
|`WAITER_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that waits for local source code to be uploaded to it. Default is `{"image":"ghcr.io/shipwright-io/build/waiter:latest", "command": ["/ko-app/waiter"], "args": ["start"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
27
+
|`WAITER_CONTAINER_TEMPLATE`| JSON representation of a [Container] template that waits for local source code to be uploaded to it. Default is `{"image":"ghcr.io/shipwright-io/build/waiter:latest", "command": ["/ko-app/waiter"], "args": ["start","--lock-file=/shp-tmp/waiter.lock"], "env": [{"name": "HOME","value": "/shared-home"}], "securityContext":{"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsUser":1000,"runAsGroup":1000}, readOnlyRootFilesystem: true}`. The following properties are ignored as they are set by the controller: `args`, `name`. |
28
28
|`WAITER_CONTAINER_IMAGE`| Custom container image that waits for local source code to be uploaded to it. If `WAITER_IMAGE_CONTAINER_TEMPLATE` is also specifying an image, then the value for `WAITER_IMAGE_CONTAINER_IMAGE` has precedence. |
29
29
|`BUILD_CONTROLLER_LEADER_ELECTION_NAMESPACE`| Set the namespace to be used to store the `shipwright-build-controller` lock, by default it is in the same namespace as the controller itself. |
30
30
|`BUILD_CONTROLLER_LEASE_DURATION`| Override the `LeaseDuration`, which is the duration that non-leader candidates will wait to force acquire leadership. |
0 commit comments