Is there a way to run /kaniko/executor as non-root user inside container to build an image?

Question

I am trying to run /kaniko/executor in corporate OKD cluster to build docker images as part of CI process using Jenkins. This is the first time we are trying to introduce kaniko in our OKD cluster .

The Jenkins agent workload runs as pod inside the OKD cluster and kaniko runs as a container within the pod.

I could see the kaniko file system is root owned. The current CI process in the org requires the runner pods to execute as non root in the OKD cluster.

Is there a way I can execute the /kaniko/executor as non-root user instead of root?

Kaniko image - gcr.io/kaniko-project/executor:v1.5.1-debug

PS: I tried to build the /kaniko/executor from source and tried adding full permissions (chmod -R 777) to /kaniko and /workspace directories in the Dockerfile and built the new image.

When tried to execute the /kaniko/executor command, got the below error.

Error: error resolving dockerfile path: copying dockerfile: chown /kaniko/Dockerfile: operation not permitted

Any suggestions to get this work?

Answer 1

Doesn't seem to be possible, judging from:

• kaniko dev's declaration in response to a Github issue that:

"Kaniko currently relies on being run as root. Rootless execution is currently not implemented since it would need executing inside user namespace and map uids/gids."

• this Red Hat blog on kaniko in Openshift which, uses this setting: spec.secuirtyContext.runAsUser: 0

• my tests of simple kaniko builds attempted when the Kaniko container (mirekphd/ml-kaniko) is run in both docker and podman simulating Openshift security constraints (-u 12345 cap-drop=all), which involved even some customized (i.e. deliberately weakened) kaniko images.

This applies to podman build (buildah bud) when run inside a container in Openshift (or equivalents, e.g. simulated with with docker run or podman run with a non-zero UID).