Skip to content

Enable readOnlyFs for strategies #2020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 3, 2025
Merged

Enable readOnlyFs for strategies #2020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_shipwright_managed_push_cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,17 @@ spec:
workingDir: $(params.shp-source-root)
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- name: shp-buildah-container-storage
mountPath: /var/lib/containers # Read/Write location of container storage
- name: shp-tmp
mountPath: /shp-tmp
- name: shp-run
mountPath: /var/run
env:
- name: TMPDIR
value: /shp-tmp
command:
- /bin/bash
args:
Expand Down Expand Up @@ -125,21 +136,21 @@ spec:

echo "[INFO] Creating registries config file..."
if [ "${registriesSearch}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.search]
registries = [${registriesSearch::-2}]

EOF
fi
if [ "${registriesInsecure}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.insecure]
registries = [${registriesInsecure::-2}]

EOF
fi
if [ "${registriesBlock}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.block]
registries = [${registriesBlock::-2}]

Expand All @@ -150,7 +161,7 @@ spec:
echo "[INFO] Building image ${image}"
buildah --storage-driver=$(params.storage-driver) \
bud "${budArgs[@]}" \
--registries-conf=/tmp/registries.conf \
--registries-conf=/shp-tmp/registries.conf \
--tag="${image}" \
--file="${dockerfile}" \
.
Expand Down Expand Up @@ -219,6 +230,13 @@ spec:
description: "Sets the target stage to be built."
type: string
default: ""
volumes:
- name: shp-buildah-container-storage
emptyDir: {}
- name: shp-tmp
emptyDir: {}
- name: shp-run
emptyDir: {}
securityContext:
runAsUser: 0
runAsGroup: 0
26 changes: 22 additions & 4 deletions samples/v1beta1/buildstrategy/buildah/buildstrategy_buildah_strategy_managed_push_cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,20 @@ spec:
imagePullPolicy: Always
workingDir: $(params.shp-source-root)
securityContext:
readOnlyRootFilesystem: true
capabilities:
add:
- "SETFCAP"
volumeMounts:
- name: shp-buildah-container-storage
mountPath: /var/lib/containers # Read/Write location of container storage
- name: shp-tmp
mountPath: /shp-tmp
- name: shp-run
mountPath: /var/run
env:
- name: TMPDIR
value: /shp-tmp
command:
- /bin/bash
args:
Expand Down Expand Up @@ -125,21 +136,21 @@ spec:

echo "[INFO] Creating registries config file..."
if [ "${registriesSearch}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.search]
registries = [${registriesSearch::-2}]

EOF
fi
if [ "${registriesInsecure}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.insecure]
registries = [${registriesInsecure::-2}]

EOF
fi
if [ "${registriesBlock}" != "" ]; then
cat <<EOF >>/tmp/registries.conf
cat <<EOF >>/shp-tmp/registries.conf
[registries.block]
registries = [${registriesBlock::-2}]

Expand All @@ -150,7 +161,7 @@ spec:
echo "[INFO] Building image ${image}"
buildah --storage-driver=$(params.storage-driver) \
bud "${budArgs[@]}" \
--registries-conf=/tmp/registries.conf \
--registries-conf=/shp-tmp/registries.conf \
--tag="${image}" \
--file="${dockerfile}" \
.
Expand Down Expand Up @@ -222,3 +233,10 @@ spec:
securityContext:
runAsUser: 0
runAsGroup: 0
volumes:
- name: shp-buildah-container-storage
emptyDir: {}
- name: shp-tmp
emptyDir: {}
- name: shp-run
emptyDir: {}
19 changes: 19 additions & 0 deletions samples/v1beta1/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,13 @@ spec:
- SETUID
seccompProfile:
type: Unconfined
readOnlyRootFilesystem: true
workingDir: $(params.shp-source-root)
env:
# This is required to align the temporary directory created by buildkit
# with the volume mount for that directory.
- name: XDG_RUNTIME_DIR
value: /home/user/.local/tmp
- name: DOCKER_CONFIG
value: /tekton/home/.docker
- name: HOME
Expand All @@ -67,6 +72,13 @@ spec:
value: $(params.cache)
- name: PARAM_TARGET
value: $(params.target)
volumeMounts:
- name: buildkitd-1
mountPath: /home/user/.local/share/buildkit
- name: buildkitd-2
mountPath: /home/user/.local/tmp
- name: shp-tmp
mountPath: /tmp
command:
- /bin/ash
args:
Expand Down Expand Up @@ -180,3 +192,10 @@ spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumes:
- name: shp-tmp
emptyDir: {}
- name: buildkitd-1
emptyDir: {}
- name: buildkitd-2
emptyDir: {}
19 changes: 16 additions & 3 deletions samples/v1beta1/buildstrategy/ko/buildstrategy_ko_cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,24 @@ spec:
description: "Volume to contain the GOCACHE. Can be set to a persistent volume to optimize compilation performance for rebuilds."
overridable: true
emptyDir: {}
- name: ko-tmp
description: "Volume to contain temporary files for ko binary and other build artifacts."
overridable: true
emptyDir: {}
steps:
- name: build
image: golang:$(params.go-version)
imagePullPolicy: Always
workingDir: $(params.shp-source-root)
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /gocache
name: gocache
readOnly: false
- mountPath: /ko-tmp
name: ko-tmp
readOnly: false
env:
- name: DOCKER_CONFIG
value: /tekton/home/.docker
Expand All @@ -43,6 +52,10 @@ spec:
value: $(params.go-flags)
- name: GOCACHE
value: /gocache
- name: GOTMPDIR
value: /ko-tmp
- name: TMPDIR
value: /ko-tmp
- name: PARAM_OUTPUT_IMAGE
value: $(params.shp-output-image)
- name: PARAM_OUTPUT_DIRECTORY
Expand Down Expand Up @@ -80,7 +93,7 @@ spec:
fi

# Download ko to the temp directory
curl -f -s -L "https://github.com/ko-build/ko/releases/download/${KO_VERSION_WITH_V}/ko_${KO_VERSION_WITHOUT_V}_$(uname)_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar xzf - -C /tmp ko
curl -f -s -L "https://github.com/ko-build/ko/releases/download/${KO_VERSION_WITH_V}/ko_${KO_VERSION_WITHOUT_V}_$(uname)_$(uname -m | sed 's/aarch64/arm64/').tar.gz" | tar xzf - -C /ko-tmp ko

# Determine the platform
PLATFORM="${PARAM_TARGET_PLATFORM}"
Expand All @@ -90,7 +103,7 @@ spec:

# Print version information
go version
echo "ko version $(/tmp/ko version)"
echo "ko version $(/ko-tmp/ko version)"

# Allow directory to be owned by other user which is normal for a volume-mounted directory.
# This allows Go to run git commands to access repository metadata.
Expand All @@ -102,7 +115,7 @@ spec:
export GOROOT="$(go env GOROOT)"

pushd "${PARAM_SOURCE_CONTEXT}" > /dev/null
/tmp/ko build "${PARAM_PACKAGE_DIRECTORY}" --oci-layout-path="${PARAM_OUTPUT_DIRECTORY}" --platform="${PLATFORM}" --push=false
/ko-tmp/ko build "${PARAM_PACKAGE_DIRECTORY}" --oci-layout-path="${PARAM_OUTPUT_DIRECTORY}" --platform="${PLATFORM}" --push=false
popd > /dev/null
resources:
limits:
Expand Down