Add KILL capability for Kaniko executor to allow it to kill non-root processes #654
Conversation
openshift-ci-robot
added
the
release-note
|
Thanks for the fix! And Sascha already verified in our internal env. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zhangtbj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
lgtm
|
Thanks for adding this! Is this something we should consider adding to the kaniko Task in the Tekton Catalog? |
Feel free to go ahead. Never really looked at this one in the Tekton catalog. Really not a nice one, specifically the digest handling that uses a specific Tekton image and then uses the five years old and probably full of vulnerabilities jq image. |
Changes
For a
RUN somethingcommand, Kaniko triggers a process forsomething. In casesomethingtriggers a daemon process, Kaniko must kill this once the main process is terminated. The reason is that the daemon could otherwise continue to make changes to the file system that will fail the layer creation. SeeRUN <process>can leave processes running in the background #247 for more information.Kaniko is running as root. If the daemon process runs as a different user, for example because thee is a
USER nonrootstatement in the Dockerfile before theRUNcommand, then theKILLcapability is necessary.The Kaniko kill logic is here: run.go.
The Secure Your Containers with this One Weird Trick blog post assesses
KILLon the danger scale, this one is on the low end.A sample Dockerfile that needs this is the Java sample that I added here: sample-java/docker-build. The
RUN configure.shcommand seems to cause some background process that Kaniko requires theKILLcapability because it runs as user 1001. With a PSP in place enforcing the capabilities, the container will fail at this point.Submitter Checklist
Release Notes