Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

readOnly flag on workspace declarations #1760

Merged
merged 1 commit into from Dec 20, 2019
Merged

readOnly flag on workspace declarations #1760

merged 1 commit into from Dec 20, 2019

Conversation

ghost
Copy link

@ghost ghost commented Dec 17, 2019
edited by ghost
Loading

Changes

Introduce a readOnly flag to workspace declarations on tasks. This flag allows a task to declare whether it needs to write files to a workspace or simply read from it.

Setting this flag to true will result in a volumeMount on the container with its readOnly flag also set to true.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

Release Notes

A Task's workspaces can be declared as readOnly: true. When this is set, the underlying volume mount will likewise be marked as read-only and the task will not be able to write to the volume.

@ghost ghost requested a review from bobcatfish December 17, 2019 19:23
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 17, 2019
@googlebot googlebot added the cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit label Dec 17, 2019
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Dec 17, 2019
@ghost ghost changed the title WIP readOnly flag on workspace declarations readOnly flag on workspace declarations Dec 17, 2019
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 17, 2019
dibyom
dibyom approved these changes Dec 17, 2019
View reviewed changes
Copy link
Member

@dibyom dibyom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM!

  • Could you add a release notes to the PR description?
  • How hard would it be to add an e2e test for this?

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2019
@ghost
Copy link
Author

ghost commented Dec 17, 2019

How hard would it be to add an e2e test for this?

I added an example taskrun yaml to try and avoid writing a full e2e test. But I'm happy to write one too. Will pick this up tomorrow.

dibyom
dibyom reviewed Dec 17, 2019
View reviewed changes
examples/taskruns/workspace-readonly.yaml Outdated
script: cat $(workspaces.write-allowed.path)/foo | grep "hello"
- name: write-disallowed
image: ubuntu
script: echo "goodbye" > $(workspaces.write-disallowed.path)/foo || true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

|| touch write-failed.txt then checking if the file exists would give you a stronger signal that the write operation failed, and didn't just succeed to write and then the contents were lost.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call.

@dibyom
Copy link
Member

dibyom commented Dec 17, 2019

I added an example taskrun yaml to try and avoid writing a full e2e test. But I'm happy to write one too. Will pick this up tomorrow.

Should have looked at the YAML test in more detail 😄
The only advantage of an e2e test would be to explicitly verify that the read is disallowed which the YAML test has to resort back to || true. Now, if only we had a way to ignore such failures ...:wink: #1684

@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 19, 2019
@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
test/builder/step.go 10.0% 9.5% -0.5

@ghost
Copy link
Author

ghost commented Dec 19, 2019

I've added an e2e test that attempts to write to a readOnly workspace and then checks the log output to confirm that the attempted write causes an error.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
test/builder/step.go 10.0% 9.5% -0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
test/builder/step.go 10.0% 9.5% -0.5

@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
test/builder/step.go 10.0% 14.3% 4.3

readOnly flag on workspace declarations
b18a8ff 
Introduce a readOnly flag to workspace declarations on tasks. This flag
allows a task to declare whether it needs to write files to a workspace
or simply read from it.

Setting this flag to true will result in a volumeMount on the container
with its readOnly flag also set to true.
@tekton-robot
Copy link
Collaborator

The following is the coverage report on pkg/.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
test/builder/step.go 10.0% 14.3% 4.3

vdemeester
vdemeester approved these changes Dec 20, 2019
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 20, 2019
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit 03d970c into tektoncd:master Dec 20, 2019
@ghost ghost deleted the workspace-readonly branch December 20, 2019 15:08
@bobcatfish
Copy link
Collaborator

Part of #1438

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcatfish bobcatfish Awaiting requested review from bobcatfish

@dlorenc dlorenc Awaiting requested review from dlorenc

@imjasonh imjasonh Awaiting requested review from imjasonh

Assignees

@vdemeester vdemeester

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Trying to make the CLA bot happy with ppl from different companies work on one commit lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dibyom @tekton-robot @bobcatfish @vdemeester @imjasonh @googlebot