Skip to content

Commit

Permalink
Add CAP_SYS_ADMIN param to buildah task
Browse files Browse the repository at this point in the history
This instructs buildah to use --cap-add=SYS_ADMIN.

The capability is not generally safe and should be restricted by both
cluster SecurityContextConstraints and supply chain policy for most
situations.

The param is present for unusual situations where it is required.
  • Loading branch information
ralphbean committed Jun 20, 2024
1 parent 1981d6b commit db344d8
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 0 deletions.
1 change: 1 addition & 0 deletions task/buildah-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|CAP_SYS_ADMIN|Determines if buildah should be invoked with --cap-add SYS_ADMIN|false|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
Expand Down
11 changes: 11 additions & 0 deletions task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ spec:
the prefetched dependencies.
type: string
default: ""
- name: CAP_SYS_ADMIN
description: Determines if buildah should be invoked with --cap-add
SYS_ADMIN
type: string
default: "false"
- name: COMMIT_SHA
description: The image is built from this commit.
type: string
Expand Down Expand Up @@ -139,6 +144,8 @@ spec:
value: oci
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: CAP_SYS_ADMIN
value: $(params.CAP_SYS_ADMIN)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
Expand Down Expand Up @@ -252,6 +259,10 @@ spec:
BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
fi
if [ -n "${CAP_SYS_ADMIN}" ]; then
BUILDAH_ARGS+=("--cap-add=SYS_ADMIN")
fi
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
fi
Expand Down
11 changes: 11 additions & 0 deletions task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ spec:
dependencies.
name: CACHI2_ARTIFACT
type: string
- default: "false"
description: Determines if buildah should be invoked with --cap-add SYS_ADMIN
name: CAP_SYS_ADMIN
type: string
- default: ""
description: The image is built from this commit.
name: COMMIT_SHA
Expand Down Expand Up @@ -123,6 +127,8 @@ spec:
value: oci
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: CAP_SYS_ADMIN
value: $(params.CAP_SYS_ADMIN)
- name: CONTEXT
value: $(params.CONTEXT)
- name: DOCKERFILE
Expand Down Expand Up @@ -274,6 +280,10 @@ spec:
BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
fi
if [ -n "${CAP_SYS_ADMIN}" ]; then
BUILDAH_ARGS+=("--cap-add=SYS_ADMIN")
fi
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
fi
Expand Down Expand Up @@ -360,6 +370,7 @@ spec:
ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
-e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e CAP_SYS_ADMIN="$CAP_SYS_ADMIN" \
-e CONTEXT="$CONTEXT" \
-e DOCKERFILE="$DOCKERFILE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
Expand Down
11 changes: 11 additions & 0 deletions task/buildah-remote/0.1/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,10 @@ spec:
data.
name: caTrustConfigMapKey
type: string
- default: "false"
description: Determines if buildah should be invoked with --cap-add SYS_ADMIN
name: CAP_SYS_ADMIN
type: string
- description: The platform to build on
name: PLATFORM
type: string
Expand Down Expand Up @@ -144,6 +148,8 @@ spec:
value: $(params.ENTITLEMENT_SECRET)
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: CAP_SYS_ADMIN
value: $(params.CAP_SYS_ADMIN)
- name: BUILDER_IMAGE
value: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
volumeMounts:
Expand Down Expand Up @@ -266,6 +272,10 @@ spec:
BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
fi
if [ -n "${CAP_SYS_ADMIN}" ]; then
BUILDAH_ARGS+=("--cap-add=SYS_ADMIN")
fi
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
fi
Expand Down Expand Up @@ -365,6 +375,7 @@ spec:
-e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \
-e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \
-e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \
-e CAP_SYS_ADMIN="$CAP_SYS_ADMIN" \
-e COMMIT_SHA="$COMMIT_SHA" \
-v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
-v "$BUILD_DIR/volumes/shared:/shared:Z" \
Expand Down
1 change: 1 addition & 0 deletions task/buildah/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|CAP_SYS_ADMIN|Determines if buildah should be invoked with --cap-add SYS_ADMIN. May be forbidden by the SecurityContextConstraints.|"false"|false|

## Results
|name|description|
Expand Down
10 changes: 10 additions & 0 deletions task/buildah/0.1/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ spec:
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt
- name: CAP_SYS_ADMIN
description: Determines if buildah should be invoked with --cap-add SYS_ADMIN
type: string
default: "false"

results:
- description: Digest of the image just built
Expand Down Expand Up @@ -135,6 +139,8 @@ spec:
value: $(params.ENTITLEMENT_SECRET)
- name: BUILD_ARGS_FILE
value: $(params.BUILD_ARGS_FILE)
- name: CAP_SYS_ADMIN
value: $(params.CAP_SYS_ADMIN)

steps:
- image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
Expand Down Expand Up @@ -215,6 +221,10 @@ spec:
BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
fi
if [ -n "${CAP_SYS_ADMIN}" ]; then
BUILDAH_ARGS+=("--cap-add=SYS_ADMIN")
fi
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
fi
Expand Down

0 comments on commit db344d8

Please sign in to comment.