从tekton hub安装git clone任务
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.9/git-clone.yaml字符串
Git Secret
apiVersion: v1
kind: Secret
metadata:
name: git-ssh-key-secret
namespace: tekton-pipelines
annotations:
tekton.dev/git-0: bitbucket.org # Described below
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
known_hosts: |
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBLp1vN1/wsjk=
bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
bitbucket.org ecdsa-sha2-nistp256 AAAAWdxMWWOGtZ9UgbqgZE=
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeixHv4M=
[source.developers.google.com]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
git.jetbrains.space ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCa5qcmbt2HCiQb54RrOXIsYLV+fbowckyuhZqe/IALABRjiCPz4SwkC3e9PHRZPJBsr9svjVRgUgbIUc8/xvD/b9F0i6dN78v48D0zQmMx型
ServiceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: git-service-account
namespace: tekton-pipelines
secrets:
- name: git-ssh-key-secret型
管道.yaml
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: ft-common
namespace: tekton-pipelines
spec:
description: >-
Clone a git repository. This example pipeline demonstrates the following:
How to use the git-clone catalog Task
params:
- name: repo-url
type: string
description: The git clone repository url
workspaces:
- name: shared-workspace
description: The GCS location will be copied into this workspace.
tasks:
- name: clone-repository
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: "$(params.repo-url)"
- name: deleteExisting
value: "true"型
流水线运行.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: ft-common-run
namespace: tekton-pipelines
spec:
serviceAccountName: git-service-account
pipelineRef:
name: ft-common
podTemplate:
securityContext:
fsGroup: 65532
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
- name: gcp-secret
secret:
secretName: gcp-service-account-key
- name: git-secret
secret:
secretName: git-ssh-key-secret
params:
- name: repo-url
value: git@bitbucket.org:anandjaisy/common.git型
保持获取异常为pods "ft-common-run-clone-repository-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts", "step-clone" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prepare", "place-scripts", "step-clone" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "prepare", "place-scripts" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "prepare", "place-scripts", "step-clone" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
1条答案
按热度按时间mnemlml81#
在最新版本发布中有一些变化,这里是详细信息https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#running-taskruns-and-pipelineruns-with-restricted-pod-security-standards
注意:不鼓励在“tekton-pipeline”命名空间中运行TaskRuns和PipelineRuns。
这意味着您不能在tekton-pipelines命名空间中运行TaskRuns和PipelineRuns。所以我们必须创建自己的命名空间
解决问题的步骤
1.从URL中插入所有Tekton-pipeline组件,这些组件将安装在Tekton-pipeline命名空间中
1.使用
kubectl create namespace <your-namespace-name>创建自己的命名空间1.使用
kubectl config set-context --current --namespace=$tekton_namespace切换到命名空间1.应用
pileline.yaml和pileline-run.yaml这应该能解决安全问题