Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add elevated security permissions to the Tekton deployment script for OpenShift #378

Open
adambkaplan opened this issue Sep 2, 2020 · 0 comments
Open

Add elevated security permissions to the Tekton deployment script for OpenShift #378

adambkaplan opened this issue Sep 2, 2020 · 0 comments

Comments

@adambkaplan
Copy link
Member

OpenShift has extra security features which prevent most service accounts from creating privileged pods, containers that run as uid 0, and so forth. Because of the way Tekton currently checks permissions when creating TaskRun objects, the Tekton controller needs elevated privileges that are specific to OpenShift to create build runs with most of our sample build strategies.

There are a few approaches we can take (not mutually exclusive):

  1. Augment our install-tekton.sh script to add the right roles and role bindings for OpenShift. Ex: install-tekton.sh openshift adds the extra logic.
  2. Instruct users and contributors to install the OpenShift Pipelines operator via Operator Hub in the web console.
  3. Add a script that installs the OpenShift Pipelines operator via the command line.

@gabemontero is separately working with upstream Tekton to remove this limitation.
@adambkaplan adambkaplan added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Sep 2, 2020
@adambkaplan adambkaplan changed the title Add elevated security permissions for the Tekton deployment script on OpenShift Add elevated security permissions to the Tekton deployment script for OpenShift Sep 2, 2020
adambkaplan added a commit to adambkaplan/build that referenced this issue Sep 11, 2020
@adambkaplan
Grant Tekton additional privileges on OpenShift
343039d 
When deploying Tekton on openshift, grant the tekton-pipelines-
controller use of the priveleged security context constraint. This
will let the Tekton controller create privileged containers. Build
strategies such as buildah currently require use of the priveleged SCC.

Fixes shipwright-io#378
adambkaplan added a commit to adambkaplan/build that referenced this issue Sep 11, 2020
@adambkaplan
Grant Tekton additional privileges on OpenShift
533d78a 
When deploying Tekton on openshift, grant the tekton-pipelines-
controller use of the priveleged security context constraint. This
will let the Tekton controller create privileged containers. Build
strategies such as buildah currently require use of the priveleged SCC.

Fixes shipwright-io#378
@adambkaplan adambkaplan mentioned this issue Sep 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Grant Tekton additional privileges on OpenShift adambkaplan/build
1 participant
@adambkaplan