[git-clone] Update docs, etc for nonroot user

This commit updates the docs, samples and tests required to run this task as a non-root user. Fix tektoncd#1044
abayer · Aug 18, 2022 · e91c913 · e91c913
1 parent 231510b
commit e91c913
Show file tree

Hide file tree

Showing 7 changed files with 86 additions and 1 deletion.
diff --git a/task/git-clone/0.8/README.md b/task/git-clone/0.8/README.md
@@ -1,6 +1,8 @@
 # `git-clone`
 
-**Please Note: this Task is only compatible with Tekton Pipelines versions 0.29.0 and greater!**
+**Note: this Task is only compatible with Tekton Pipelines versions 0.29.0 and greater!**
+
+**Note: this Task is not backwards compatible with the previous versions as it is now run as a non-root user!**
 
 This `Task` has two required inputs:
 
@@ -20,6 +22,44 @@ workspace will end up owned by user 65532.
 
 ## Workspaces
 
+**Note**: This task is run as a non-root user with UID 65532 and GID 65532.
+Generally, the default permissions for storage volumes are configured for the
+root user. To make the volumes accessible by the non-root user, you will need
+to either configure the permissions manually or set the `fsGroup` field under
+`PodSecurityContext` in your TaskRun or PipelineRun.
+
+An example PipelineRun will look like:
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: git-clone-
+spec:
+  pipelineRef:
+    name: git-clone-pipeline
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
+...
+...
+```
+
+An example TaskRun will look like:
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: taskrun
+spec:
+  taskRef:
+    name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
+...
+...
+```
+
 * **output**: A workspace for this Task to fetch the git repository in to.
 * **ssh-directory**: An optional workspace to provide SSH credentials. At
   minimum this should include a private key but can also include other common

diff --git a/task/git-clone/0.8/samples/git-clone-checking-out-a-branch.yaml b/task/git-clone/0.8/samples/git-clone-checking-out-a-branch.yaml
@@ -59,6 +59,9 @@ metadata:
 spec:
   pipelineRef:
     name: cat-branch-readme
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   workspaces:
   - name: shared-data
     volumeClaimTemplate:

diff --git a/task/git-clone/0.8/samples/git-clone-checking-out-a-commit.yaml b/task/git-clone/0.8/samples/git-clone-checking-out-a-commit.yaml
@@ -95,6 +95,9 @@ metadata:
 spec:
   pipelineRef:
     name: checking-out-a-revision
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   workspaces:
   - name: shared-data
     volumeClaimTemplate:

diff --git a/task/git-clone/0.8/samples/git-clone-for-ssl-ca.yaml b/task/git-clone/0.8/samples/git-clone-for-ssl-ca.yaml
@@ -60,6 +60,9 @@ metadata:
 spec:
   pipelineRef:
     name: cat-branch-readme
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   workspaces:
   - name: shared-data
     volumeClaimTemplate:

diff --git a/task/git-clone/0.8/samples/git-clone-sparse-checkout.yaml b/task/git-clone/0.8/samples/git-clone-sparse-checkout.yaml
@@ -60,6 +60,9 @@ metadata:
 spec:
   pipelineRef:
     name: sparse-checkout-list-dir
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   workspaces:
   - name: shared-data
     volumeClaimTemplate:

diff --git a/task/git-clone/0.8/samples/using-git-clone-result.yaml b/task/git-clone/0.8/samples/using-git-clone-result.yaml
@@ -66,6 +66,9 @@ metadata:
 spec:
   pipelineRef:
     name: validate-tag-sha
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   workspaces:
   - name: output
     emptyDir: {}  # We don't care about the repo contents in this example, just the "commit" result

diff --git a/task/git-clone/0.8/tests/run.yaml b/task/git-clone/0.8/tests/run.yaml
@@ -9,6 +9,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -23,6 +26,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -39,6 +45,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/githubtraining/example-dependency
@@ -53,6 +62,9 @@ spec:
   workspaces:
     - name: output
       emptyDir: {}
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   taskRef:
     name: git-clone
   params:
@@ -71,6 +83,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -89,6 +104,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -105,6 +123,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -121,6 +142,9 @@ spec:
       emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -137,6 +161,9 @@ spec:
     emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode
@@ -153,6 +180,9 @@ spec:
     emptyDir: {}
   taskRef:
     name: git-clone
+  podTemplate:
+    securityContext:
+      fsGroup: 65532
   params:
     - name: url
       value: https://github.com/kelseyhightower/nocode