0

Install the git clone task from tekton hub

kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml

Git Secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key-secret
  namespace: tekton-pipelines
  annotations:
    tekton.dev/git-0: bitbucket.org # Described below
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ...
      -----END OPENSSH PRIVATE KEY-----
  known_hosts: |
          ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
          github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
          github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
          github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBLp1vN1/wsjk=
          bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
          bitbucket.org ecdsa-sha2-nistp256 AAAAWdxMWWOGtZ9UgbqgZE=
          bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeixHv4M=
          [source.developers.google.com]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
          git.jetbrains.space ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCa5qcmbt2HCiQb54RrOXIsYLV+fbowckyuhZqe/IALABRjiCPz4SwkC3e9PHRZPJBsr9svjVRgUgbIUc8/xvD/b9F0i6dN78v48D0zQmMx

ServiceAccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: git-service-account
  namespace: tekton-pipelines
secrets:
  - name: git-ssh-key-secret

Pipeline.yaml

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: ft-common
  namespace: tekton-pipelines
spec:
  description: >-
    Clone a git repository. This example pipeline demonstrates the following:
    How to use the git-clone catalog Task
  params:
    - name: repo-url
      type: string
      description: The git clone repository url
  workspaces:
    - name: shared-workspace
      description: The GCS location will be copied into this workspace.
  tasks:
    - name: clone-repository
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: shared-workspace
      params:
        - name: url
          value: "$(params.repo-url)"
        - name: deleteExisting
          value: "true"

Pipeline-run.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: ft-common-run
  namespace: tekton-pipelines
spec:
  serviceAccountName: git-service-account
  pipelineRef:
    name: ft-common
  podTemplate:
    securityContext:
      fsGroup: 65532
  workspaces:
  - name: shared-workspace
    volumeClaimTemplate:
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 2Gi
  - name: gcp-secret
    secret:
      secretName: gcp-service-account-key
  - name: git-secret
    secret:
      secretName: git-ssh-key-secret
  params:
    - name: repo-url
      value: git@bitbucket.org:anandjaisy/common.git

Keep getting exception as pods "ft-common-run-clone-repository-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts", "step-clone" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prepare", "place-scripts", "step-clone" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "prepare", "place-scripts" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "prepare", "place-scripts", "step-clone" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

David Maze
  • 130,717
  • 29
  • 175
  • 215
San Jaisy
  • 15,327
  • 34
  • 171
  • 290
  • Hi, I've deleted what looked like an actual private key from the text of the question. If it was in fact a real key, please work with your local operations and security teams to deactivate this key; it may have been picked up by Web crawlers and could still be accessible in SO's edit history. – David Maze Jul 21 '23 at 10:42

1 Answers1

0

There were some changes in the latest version release, here are the details https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#running-taskruns-and-pipelineruns-with-restricted-pod-security-standards

Note: running TaskRuns and PipelineRuns in the "tekton-pipelines" namespace is discouraged.

It means that you can't run the TaskRuns and PipelineRuns in tekton-pipelines namespace. So we have to create our own namespace

Steps to solve the issue

  1. Intall all the tekton components from the URL, which will install in the tekton-pipelines namespace

  2. Create own namespace using kubectl create namespace <your-namespace-name>

  3. Switch to namespace using kubectl config set-context --current --namespace=$tekton_namespace

  4. Apply your pileline.yaml and pileline-run.yaml

This should solve the security issue

San Jaisy
  • 15,327
  • 34
  • 171
  • 290