2

我想在工作区目录中创建一个文件。但只有当我以 root 身份运行时,我才能做到这一点

securityContext:
       runAsUser: 0

如果我将其留空或想以用户 1001 身份运行,它会给我触摸:无法触摸 '/workspace/workspace_folder/test.txt':权限被拒绝 似乎在创建工作区目录时它归用户 99 所有

重现问题的步骤

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: echo-hello-world
spec:
  steps:
    - name: echo
      image: ubuntu
      script: |
        #!/bin/bash
        echo "Current user is"
        whoami
        ls -l
        echo "creating a file in the workspace"
        touch /workspace/workspace_folder/test.txt
      # securityContext:
      #   runAsUser: 0
  workspaces:
  - name: task-workspace
    description: |
      The folder where we write the message to. If no workspace
      is provided then the message will not be written.
    mountPath: /workspace/workspace_folder
---

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: echo-pipeline
spec:
  workspaces:
    - name: pipeline-workspace
  tasks:
    - name: echo-task
      taskRef:
        name: echo-hello-world
      workspaces:
        - name: task-workspace
          workspace: pipeline-workspace
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: echo-pipelinerun-6
spec:
  pipelineRef:
    name: echo-pipeline
  workspaces:
    - name: pipeline-workspace
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi

运行上述管道时的输出

Current user is
1000840000
total 4
drwxr-xr-x. 2 99 99 4096 May 18 01:48 workspace_folder
creating a file in the workspace
touch: cannot touch '/workspace/workspace_folder/test.txt': Permission denied
4

1 回答 1

0

我认为这是设计使然。如果我没记错的话,如果没有定义适当的安全上下文,Kubernetes 中的任何容器都将在没有 root 权限的情况下运行。由于 Tekton 任务也只是 pod,因此它们很可能由特权最低的安全上下文组成。您应该能够在 Tekton-pipelines 的源代码中验证这一点。

如果你真的需要一个特殊的工作区卷,我想你可以在这里disable-working-directory-overwrite启用功能标志。要么更改任务规范中的工作目录,要么使用自定义 pod 规范?

于 2021-06-29T20:09:50.147 回答