Add feature flag to disable creds-init #3379
Conversation
tekton-robot
added
the
release-note
tekton-robot
added
the
size/M
|
The following is the coverage report on the affected files.
|
tekton-robot
added
size/L
|
The following is the coverage report on the affected files.
|
|
/kind feature |
tekton-robot
added
the
kind/feature
|
/test pull-tekton-pipeline-integration-tests |
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-pipeline-integration-tests |
pkg/pod/creds_init.go
Outdated
| if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit == true { | ||
| return nil, nil, nil, nil | ||
| } |
There was a problem hiding this comment.
what do you think about using g.FeatureFlags.DisableCredsInit directly instead of comparing with true, like this:
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit {
return nil, nil, nil, nil
}
docs/auth.md
Outdated
| 4. Tasks with Steps that run as non-root, particularly those where the UIDs | ||
| change from Step to Step, can log more warning messages than those without, | ||
| creating noise. |
There was a problem hiding this comment.
is there a way to clarify reason 4, it isn't clear to me what without is referring to
docs/auth.md
Outdated
| 1. Credentials must now be passed explicitly to Tasks either with Workspaces, | ||
| environment variables (using `envFrom` in your Steps and a Task param to | ||
| specify a Secret), or a custom volume and volumeMount definition. |
There was a problem hiding this comment.
could be helpful to reference the documentation for Workspaces, envFrom etc
pkg/pod/creds_init.go
Outdated
| if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit == true { | ||
| return nil, nil | ||
| } |
There was a problem hiding this comment.
same as above on using g.FeatureFlags.DisableCredsInit directly:
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit {
return nil, nil
}
pkg/pod/pod.go
Outdated
| // Mount /tekton/creds with a fresh volume for each Step. It needs to | ||
| // be world-writeable and empty so creds can be initialized in there. Cant | ||
| // guarantee what UID container runs with. |
There was a problem hiding this comment.
may be useful to update this to mention that it mounts fresh volume for each step except when creds-init is disabled
|
The following is the coverage report on the affected files.
|
|
@jerop thanks a lot for the feedback! I've made the changes you requested. |
tekton-robot
added
the
needs-rebase
Prior to this commit Tekton scans service accounts attached to taskruns and mounts secrets matching a specific format into all the Steps of a Task. Then the entrypoint goes through those secrets and copies them to the user's home directory so they can be used by `git`, `docker`, etc This commit adds a feature-flag, `disable-creds-init`, that lets users turn off the service account scanning behaviour. The default is "false" so the creds-init behaviour remains enabled. Disabling creds-init can be desirable for a lot of reasons: 1. The process is opaque and difficult to debug 2. It's not particularly well suited for non-root, multi-UID tasks. 3. Only a limited set of credential types are supported Warning: Disabling creds-init will largely prevent Git and Image PipelineResources from working.
tekton-robot
removed
the
needs-rebase
ghost
added this to the
|
The following is the coverage report on the affected files.
|
|
/test pull-tekton-pipeline-go-coverage |
|
The following is the coverage report on the affected files.
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/lgtm |
Fixes #2791
Prior to this commit Tekton scans service accounts attached to taskruns
and mounts secrets matching a specific format into all the Steps of a
Task. Then the entrypoint goes through those secrets and copies them
to the user's home directory so they can be used by
git,docker, etcThis commit adds a feature-flag,
disable-creds-init, that lets usersturn off the service account scanning behaviour. The default is "false"
so the creds-init behaviour remains enabled. Disabling creds-init can be
desirable for a lot of reasons:
Warning: Disabling creds-init will probably break PipelineResources.
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Release Notes