[TEP-0044]: Add details on Hermekton

This commit adds details on the relationship between Hermekton and running multiple Tasks on one pod.
tektoncd · Feb 14, 2022 · 427f779 · 427f779
1 parent 71cf301
commit 427f779
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/teps/0044-data-locality-and-pod-overhead-in-pipelines.md b/teps/0044-data-locality-and-pod-overhead-in-pipelines.md
@@ -2,7 +2,7 @@
 status: proposed
 title: Data Locality and Pod Overhead in Pipelines
 creation-date: '2021-01-22'
-last-updated: '2022-02-02'
+last-updated: '2022-02-07'
 authors:
 - '@bobcatfish'
 - '@lbernick'
@@ -241,6 +241,45 @@ However, the number of Tasks needed may not be known until the previous Task is
 Therefore, we may be able to support running a matrixed Pipeline in a pod only when the full set of parameters is known
 at the start of execution. We may not be able to support dynamic matrix parameters or other forms of dynamic Task creation.
 
+### Hermekton support
+
+[TEP-0025](./0025-hermekton.md) proposes specifying "hermeticity" levels for Tasks or Steps. Hermetic Tasks and Steps cannot
+communicate with non-hermetic Tasks and Steps during execution, meaning that all inputs will be specified prior to Task/Step start.
+This requires isolating the network and filesystem for hermetic Tasks/Steps.
+
+#### Use Cases
+
+TEP-0025 describes some [use cases](./0025-hermekton.md#user-stories-optional) for specifying different levels of hermeticity for
+Tasks in a Pipeline. It's not yet clear whether users would like the ability to specify different levels of hermeticity for Tasks
+that are part of a PipelineRun executed in a pod. Security-minded users might prefer to run their Tasks with different service accounts,
+which is not possible in one pod.
+
+#### Feasibility
+
+A Task can only be considered hermetic if it is unable to communicate with other Tasks during execution, and likewise for Steps.
+If we wanted to support different levels of hermeticity for Tasks run in the same pod, we would need to provide a way for the
+Steps in the hermetic Task to communicate with other Steps in that Task, but not with Steps in other Tasks.
+
+Containers in a pod can [communicate](https://kubernetes.io/docs/concepts/workloads/pods/#resource-sharing-and-communication)
+either via ports or via the filesystem.
+
+Isolating the filesystem of a Task run in the same pod as other Tasks is likely feasible.
+A pod can provide shared volumes for containers to use, meaning that we can control how containers communicate via the filesystem
+by controlling which of the pod's volumes they have access to.
+
+Isolating the network of a Task run in the same pod as other Tasks is more challenging.
+Containers in a pod share a network namespace, and can communicate with each other via localhost.
+This means that it's straightforward to restrict a single container's access to the network within the pod by preventing it from
+communicating via localhost, as is proposed for [Step-level hermeticity](./0025-hermekton.md#api-changes).
+However, it's much more challenging to allow a group of containers to communicate with each other, but not with other containers in a pod,
+a feature that would be necessary to run hermetic and non-hermetic Tasks in the same pod. We could explore using [EBPF](https://ebpf.io/)
+to control the container network, but this is likely a large amount of effort and would not work on all platforms.
+
+We could work around this limitation via a few options:
+1. Requiring that hermetic Tasks have only 1 step if they are run in a pod with other Tasks.
+2. Not allowing Steps within hermetic Tasks to communicate with each other.
+3. Requiring that hermetic Tasks not execute in parallel with other Tasks run in the same pod.
+
 ### Additional Design Considerations
 - Executing an entire Pipeline in a pod, as compared to executing multiple Tasks in a pod, may pave the way for supporting
 [local execution](https://github.com/tektoncd/pipeline/issues/235).

diff --git a/teps/README.md b/teps/README.md
@@ -196,7 +196,7 @@ This is the complete list of Tekton teps:
 |[TEP-0040](0040-ignore-step-errors.md) | Ignore Step Errors | implemented | 2021-08-11 |
 |[TEP-0041](0041-tekton-component-versioning.md) | Tekton Component Versioning | implementable | 2021-04-26 |
 |[TEP-0042](0042-taskrun-breakpoint-on-failure.md) | taskrun-breakpoint-on-failure | implemented | 2021-12-10 |
-|[TEP-0044](0044-data-locality-and-pod-overhead-in-pipelines.md) | Data Locality and Pod Overhead in Pipelines | proposed | 2022-02-02 |
+|[TEP-0044](0044-data-locality-and-pod-overhead-in-pipelines.md) | Data Locality and Pod Overhead in Pipelines | proposed | 2022-02-07 |
 |[TEP-0045](0045-whenexpressions-in-finally-tasks.md) | WhenExpressions in Finally Tasks | implemented | 2021-06-03 |
 |[TEP-0046](0046-finallytask-execution-post-timeout.md) | Finally tasks execution post pipelinerun timeout | implemented | 2021-12-14 |
 |[TEP-0047](0047-pipeline-task-display-name.md) | Pipeline Task Display Name | proposed | 2021-02-10 |