BUILD-433: Run builds in user namespaces without seccomp if BUILD_PRIVILEGED=false

[nalind]

In the build controller, we never actually called setupContainersNodeStorage(), so remove it, and stop setting the environment variable to force storage to use the overlay driver, which currently requires privileges, leaning on openshift/builder#220 and openshift/builder#291 to have the builder container figure that out for itself.

Make the mode which we apply to secret and configuration map volumes in build pods something that the build controller can pass down to its helper functions, so that it can be adjusted based on the strategy. Continue to default them to 0600.

Set the seccomp profile for build pods to "unconfined", since we depend on unshare() and CRI-O is attempting to move away from allowing it to be used in its default seccomp profile.

When the Build object's environment includes "BUILD_PRIVILEGED=false" or "BUILD_PRIVILEGED=0":

• turn off the "privileged" flag for build pods
• set "io.openshift.builder=" and "io.kubernetes.cri-o.Devices=/dev/fuse:rwm" annotations
• set "io.kubernetes.cri-o.userns-mode=auto:size=65536"

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nalind
To complete the pull request process, please assign bparees after the PR has been reviewed.
You can assign the PR to them by writing /assign @bparees in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest-required

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest

[nalind]

• Have reverted to making securityContext.RunAsUser and securityContext.RunAsGroup implicit for unprivileged builds - if they're set explicitly, the service account token's permissions become 0600 instead of 0644, and the builder can't read them.
• Setting up a user namespace with the current set of UIDs/GIDs mapped to themselves (or more specifically, UID 0) to get CAP_SYS_ADMIN over their own new mount namespaces requires CAP_SETFCAP starting in upstream kernel 5.12 and RHEL kernel 4.18.0-312.el8. Added it to the unprivileged build security context.

[nalind]

• When the pull secret is owned by root with mode 0o600, an unprivileged builder can't read it. Tweaked pkg/build/controller/strategy.mountVolume() to use mode 0o644 when the security context isn't privileged.

[nalind]

/retest

[nalind]

/retest

[adambkaplan]

@coreydaley if you'd like, I can set up this repo for "no-feature-freeze" so you don't need a BZ to merge.

[coreydaley]

@adambkaplan That would be great, thanks!

[nalind]

/retest

[nalind]

/retest

[nalind]

/retest

[openshift-ci]

@nalind: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[coreydaley]

/lgtm
/label docs-approved
/label px-approved
/label qe-approved
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, coreydaley, nalind, RickJWagner, rolfedh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/build/OWNERS [adambkaplan,coreydaley]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coreydaley]

/hold cancel