DEVHIDE
Login Or Sign up

Tekton pipeline cannot create file in the workspace directory unless running as root

2.5k Views Asked by At

I want to create a file in the workspace directory. But I can only do that if I run as root with

securityContext:
       runAsUser: 0

if I leave it blank or want to run as user 1001 it gives me touch: cannot touch '/workspace/workspace_folder/test.txt': Permission denied It seems like when the workspace directory gets created it is owned by user 99

Steps to Reproduce the Problem

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: echo-hello-world
spec:
  steps:
    - name: echo
      image: ubuntu
      script: |
        #!/bin/bash
        echo "Current user is"
        whoami
        ls -l
        echo "creating a file in the workspace"
        touch /workspace/workspace_folder/test.txt
      # securityContext:
      #   runAsUser: 0
  workspaces:
  - name: task-workspace
    description: |
      The folder where we write the message to. If no workspace
      is provided then the message will not be written.
    mountPath: /workspace/workspace_folder
---

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: echo-pipeline
spec:
  workspaces:
    - name: pipeline-workspace
  tasks:
    - name: echo-task
      taskRef:
        name: echo-hello-world
      workspaces:
        - name: task-workspace
          workspace: pipeline-workspace
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: echo-pipelinerun-6
spec:
  pipelineRef:
    name: echo-pipeline
  workspaces:
    - name: pipeline-workspace
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi

Output when I run the above pipeline

Current user is
1000840000
total 4
drwxr-xr-x. 2 99 99 4096 May 18 01:48 workspace_folder
creating a file in the workspace
touch: cannot touch '/workspace/workspace_folder/test.txt': Permission denied
tekton tekton-pipelines
Original Q&A
2

There are 2 best solutions below

0
On

I think this is by design. If I recall correctly, any container in Kubernetes will run without root privileges if a proper security context is not defined. Since the Tekton tasks are also just pods, they will likely be composed with a least privileged security context. You should be able to verify that in the Tekton-pipelines' source.

If you really need a special workspace volume, I guess you could enable the disable-working-directory-overwrite feature-flag here. And either change the working directory in your task spec or use a custom pod spec?

0
On

You can attach securityContext to your pipelineRun

podTemplate:
    securityContext:
      fsGroup: 65532

and final YAML for pipelineRun should be like this:

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: echo-pipelinerun-6
spec:
  pipelineRef:
    name: echo-pipeline
  podTemplate:
    securityContext:
      fsGroup: 65532 
  workspaces:
    - name: pipeline-workspace
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi

Related Questions in TEKTON

Related Questions in TEKTON-PIPELINES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.