问题描述
我想在工作区目录中创建一个文件。但是我只能在以 root 身份运行时才能这样做
securityContext:
runAsUser: 0
如果我将其留空或想以用户 1001 身份运行,它会给我触摸:无法触摸“/workspace/workspace_folder/test.txt”:权限被拒绝 创建工作区目录时,它似乎归用户 99
所有重现问题的步骤
apiVersion: tekton.dev/v1alpha1
kind: Task
Metadata:
name: echo-hello-world
spec:
steps:
- name: echo
image: ubuntu
script: |
#!/bin/bash
echo "Current user is"
whoami
ls -l
echo "creating a file in the workspace"
touch /workspace/workspace_folder/test.txt
# securityContext:
# runAsUser: 0
workspaces:
- name: task-workspace
description: |
The folder where we write the message to. If no workspace
is provided then the message will not be written.
mountPath: /workspace/workspace_folder
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
Metadata:
name: echo-pipeline
spec:
workspaces:
- name: pipeline-workspace
tasks:
- name: echo-task
taskRef:
name: echo-hello-world
workspaces:
- name: task-workspace
workspace: pipeline-workspace
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
Metadata:
name: echo-pipelinerun-6
spec:
pipelineRef:
name: echo-pipeline
workspaces:
- name: pipeline-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
运行上述管道时的输出
Current user is
1000840000
total 4
drwxr-xr-x. 2 99 99 4096 May 18 01:48 workspace_folder
creating a file in the workspace
touch: cannot touch '/workspace/workspace_folder/test.txt': Permission denied
解决方法
我认为这是设计使然。如果我没记错的话,如果没有定义正确的 security context,Kubernetes 中的任何容器都将在没有 root 权限的情况下运行。由于 Tekton 任务也只是 pod,它们很可能由最低特权的安全上下文组成。您应该能够在 Tekton-pipelines 的源代码中验证这一点。
如果您确实需要一个特殊的工作区卷,我想您可以启用 disable-working-directory-overwrite 功能标志 here。要么更改任务规范中的工作目录,要么使用自定义 pod 规范?