我刚开始学泰克顿语。我有一个Tekton管道,其中包含以下内容,摘自本文:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: clone-read
spec:
description: |
This pipeline clones a git repo, then echoes the README file to the stout.
params:
- name: repo-url
type: string
description: The git repo URL to clone from.
workspaces:
- name: shared-data
description: |
This workspace contains the cloned repo files, so they can be read by the
next task.
- name: git-credentials
description: My ssh credentials
tasks:
- name: fetch-source
taskRef:
kind: ClusterTask
name: git-clone
workspaces:
- name: output
workspace: shared-data
- name: ssh-directory
workspace: git-credentials
params:
- name: url
value: $(params.repo-url)
- name: revision
value: branch-name
- name: submodules
value: 'true'
- name: depth
value: '1'
- name: sslVerify
value: 'true'
- name: sparseCheckoutDirectories
value: /path/to/directory/
- name: deleteExisting
value: 'true'
- name: verbose
value: 'true'
- name: gitInitImage
value: >-
registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:<hash>
- name: userHome
value: /tekton/home
- name: show-readme
runAfter: ["fetch-source"]
taskRef:
name: show-readme
workspaces:
- name: source
workspace: shared-data
当我运行它时,在事件选项卡中,它得到这2个事件,并不断地一遍又一遍地发布它们。当我停止的时候,它们在30分钟内被发布了119次:
错误:容器有runAsNonRoot和映像将作为root运行(pod: "clone-read-2ol4nq-fetch-source-7xfk6-pod-7w7jx_()",容器:place-tools)
容器映像"registry.redhat.io/openshift-pipelines/pipelines-entrypoint-rhel8@sha256:"已存在于机器上
我该如何修复它们?
为了记录,Tekton在OpenShift中附带了几个这样的映像,这些映像不需要作为特权运行。OpenShift允许这样做的方式是,你应该有一个SCC (pipelines-scc),一个ClusterRole (pipelines-scc- ClusterRole),并且,在每个命名空间中:一个ServiceAccount (pipeline)和RoleBinding (pipelines-scc- RoleBinding)。
,"pipeline"ServiceAccount被授予使用tekton的SCC,例如与"pipeline"相关的所有容器。可以作为root运行
是的,OpenShift管道操作符无耻地附带了容器,比如他们的git-clone,这将作为根运行…除非在任务容器上编写自己的pipelinerun强制自己的securityContext。
回到你的错误:我怀疑你没有使用"管道"ServiceAccount。不要在你的PipelineRun定义中强制任何securityContext。请共享PipelineRun对象,或者确保不要在其中设置serviceAccount。