-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add feature flag to disable creds-init #3379
Conversation
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
/kind feature |
/test pull-tekton-pipeline-integration-tests |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
/test pull-tekton-pipeline-integration-tests |
pkg/pod/creds_init.go
Outdated
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit == true { | ||
return nil, nil, nil, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you think about using g.FeatureFlags.DisableCredsInit
directly instead of comparing with true, like this:
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit {
return nil, nil, nil, nil
}
docs/auth.md
Outdated
4. Tasks with Steps that run as non-root, particularly those where the UIDs | ||
change from Step to Step, can log more warning messages than those without, | ||
creating noise. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to clarify reason 4, it isn't clear to me what without
is referring to
docs/auth.md
Outdated
1. Credentials must now be passed explicitly to Tasks either with Workspaces, | ||
environment variables (using `envFrom` in your Steps and a Task param to | ||
specify a Secret), or a custom volume and volumeMount definition. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could be helpful to reference the documentation for Workspaces
, envFrom
etc
pkg/pod/creds_init.go
Outdated
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit == true { | ||
return nil, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above on using g.FeatureFlags.DisableCredsInit
directly:
if cfg != nil && cfg.FeatureFlags != nil && cfg.FeatureFlags.DisableCredsInit {
return nil, nil
}
pkg/pod/pod.go
Outdated
// Mount /tekton/creds with a fresh volume for each Step. It needs to | ||
// be world-writeable and empty so creds can be initialized in there. Cant | ||
// guarantee what UID container runs with. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
may be useful to update this to mention that it mounts fresh volume for each step except when creds-init is disabled
The following is the coverage report on the affected files.
|
@jerop thanks a lot for the feedback! I've made the changes you requested. |
Prior to this commit Tekton scans service accounts attached to taskruns and mounts secrets matching a specific format into all the Steps of a Task. Then the entrypoint goes through those secrets and copies them to the user's home directory so they can be used by `git`, `docker`, etc This commit adds a feature-flag, `disable-creds-init`, that lets users turn off the service account scanning behaviour. The default is "false" so the creds-init behaviour remains enabled. Disabling creds-init can be desirable for a lot of reasons: 1. The process is opaque and difficult to debug 2. It's not particularly well suited for non-root, multi-UID tasks. 3. Only a limited set of credential types are supported Warning: Disabling creds-init will largely prevent Git and Image PipelineResources from working.
The following is the coverage report on the affected files.
|
/test pull-tekton-pipeline-go-coverage |
The following is the coverage report on the affected files.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
Fixes #2791
Prior to this commit Tekton scans service accounts attached to taskruns
and mounts secrets matching a specific format into all the Steps of a
Task. Then the entrypoint goes through those secrets and copies them
to the user's home directory so they can be used by
git
,docker
, etcThis commit adds a feature-flag,
disable-creds-init
, that lets usersturn off the service account scanning behaviour. The default is "false"
so the creds-init behaviour remains enabled. Disabling creds-init can be
desirable for a lot of reasons:
Warning: Disabling creds-init will probably break PipelineResources.
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmd
dir, please updatethe release Task to build and release this image.
Release Notes