Change Details

The [[ https://github.com/buildpacks/spec/blob/bea3a7af28500f4f61d95f65f5bd9331b41599af/platform.md#build-image | cloud-native buildpack specification ]] calls for a statically-defined UID and GID for a builder container. That means that unless we like the notion of exponentially increasing docker image disk space usage, we need to standardize a single UID/GID for buildpack-style containers. We've discovered that a pod security policy can be created that allows that UID but does not allow the primary NFS mount for Toolforge, which prevents conflicts with a tool's permissions on NFS. Let's teach maintain-kubeusers how to create PSP assignments for this and backfill it to existing users to allow the usage of these containers on Toolforge Kubernetes. The PSP required can be shared among all tools since the values are not different per-tool. The roles and bindings need to be created by maintain-kubeusers because those are namespaced (unless this service ends up in a shared namespace--which seems unlikely because of quotas).

The [[ https://github.com/buildpacks/spec/blob/bea3a7af28500f4f61d95f65f5bd9331b41599af/platform.md#build-image | cloud-native buildpack specification ]] calls for a statically-defined UID and GID for a builder container. That means that unless we like the notion of exponentially increasing docker image disk space usage, we need to standardize a single UID/GID for buildpack-style containers, which we've decided will be 61312. We've discovered that a pod security policy can be created that allows that UID but does not allow the primary NFS mount for Toolforge, which prevents conflicts with a tool's permissions on NFS. Let's teach maintain-kubeusers how to create PSP assignments for this and backfill it to existing users to allow the usage of these containers on Toolforge Kubernetes. The PSP required can be shared among all tools since the values are not different per-tool. The roles and bindings need to be created by maintain-kubeusers because those are namespaced (unless this service ends up in a shared namespace--which seems unlikely because of quotas).

The [[ https://github.com/buildpacks/spec/blob/bea3a7af28500f4f61d95f65f5bd9331b41599af/platform.md#build-image | cloud-native buildpack specification ]] calls for a statically-defined UID and GID for a builder container. That means that unless we like the notion of exponentially increasing docker image disk space usage, we need to standardize a single UID/GID for buildpack-style containers, which we've decided will be 61312. We've discovered that a pod security policy can be created that allows that UID but does not allow the primary NFS mount for Toolforge, which prevents conflicts with a tool's permissions on NFS. Let's teach maintain-kubeusers how to create PSP assignments for this and backfill it to existing users to allow the usage of these containers on Toolforge Kubernetes. The PSP required can be shared among all tools since the values are not different per-tool. The roles and bindings need to be created by maintain-kubeusers because those are namespaced (unless this service ends up in a shared namespace--which seems unlikely because of quotas).