-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is there a way to run /kaniko/executor as non-root user inside container to build an image? #2146
Comments
Just to add more info - Similar issue reported here - #2122 But the fix recommended to use runAsUser: 0 for securityContext would not work in my case. Would like to know if there is any other alternative to make it work? |
Kaniko currently relies on being run as root. Rootless execution is currently not implemented since it would need executing inside user namespace and map uids/gids. |
@hown3d Thanks for the information. Do you know if that feature of running kaniko as non-root user is being considered and if it is planned for some release version? |
I don't think that running as non-root is currently on the roadmap. If you really need rootless execution for builds of dockerfiles, I would use buildah. |
I tried executing the buildah inside OKD 3.11, but could not proceed with that option as well . That's why thought of using kaniko. Kept getting the below error
|
Sounds alot like this issue: containers/buildah#4049 |
Thanks for sharing . I will take a look at it and come back! |
Hello. Thank you for sharing the previous link related to buildah issue. I was able to build the latest buildah image from RH catalog, and used it inside the OKD cluster and it worked :). |
Neither buildah, nor executor will perform root user build operations for me on OCP without runAsUser:0. This is horseshit. |
It's enough to add But this issue was raised 4 years ago and tagged "wontfix" here: #681 |
Just so you know, I reproduce the issue recently : With this pipeline: https://github.com/idrissneumann/action-kaniko/actions/runs/5600342381/jobs/10242584402 And this pr (that tries to change the user that is running the process): https://github.com/idrissneumann/action-kaniko/pull/4/files |
Hi guys, i'm facing this issue also, do i need to keep this on track or i must to forget about running kaniko container as non root user to build images ? |
Hey, I'm also running into this issue. Running as non root is sadly required for me as well as using a stricter securityContext for the Kaniko container. If there are any updates on this topic, I would be happy to hear about it. |
any update? |
I am trying to run /kaniko/executor in corporate OKD cluster to build docker images as part of CI process using Jenkins. This is the first time we are trying to introduce kaniko in our OKD cluster .
The Jenkins agent workload runs as pod inside the OKD cluster and kaniko runs as a container within the pod.
I could see the kaniko file system is root owned. The current CI process in the org requires the runner pods to execute as non root in the OKD cluster.
Is there a way I can execute the /kaniko/executor as non-root user instead of root?
Kaniko image - gcr.io/kaniko-project/executor:v1.5.1-debug
PS: I tried to build the /kaniko/executor from source and tried adding full permissions (chmod -R 777) to /kaniko and /workspace directories in the Dockerfile and built the new image.
When tried to execute the /kaniko/executor command, got the below error.
Error: error resolving dockerfile path: copying dockerfile: chown /kaniko/Dockerfile: operation not permitted
Any suggestions to get this work?
The text was updated successfully, but these errors were encountered: