Container Contract

Each container image used as a step in a Task must comply with aspecific contract.

Entrypoint

When containers are run in a Task, the entrypoint of the container will beoverwritten with a custom binary that ensures the containers within the Taskpod are executed in the specified order. As such, it is always recommended toexplicitly specify a command.

When command is not explicitly set, the controller will attempt to lookup theentrypoint from the remote registry. If the image is a private registry, theservice account should include anImagePullSecret.The Tekton controller will use the ImagePullSecret of the service account, andif service account is empty, default is assumed. Next is falling back todocker config added in a .docker/config.json at $HOME/.docker/config.json.If none of these credentials are available the controller will try to lookup theimage anonymously.

For example, in the following Task with the images,gcr.io/cloud-builders/gcloud and gcr.io/cloud-builders/docker, theentrypoint would be resolved from the registry, resulting in the tasks runninggcloud and docker respectively.

  1. spec:
  2.   steps:
  3.     - image: gcr.io/cloud-builders/gcloud
  4.       command: [gcloud]
  5.     - image: gcr.io/cloud-builders/docker
  6.       command: [docker]

However, if the steps specified a custom command, that is what would be used.

  1. spec:
  2.   steps:
  3.     - image: gcr.io/cloud-builders/gcloud
  4.       command:
  5.         - bash
  6.         - -c
  7.         - echo "Hello!"

You can also provide args to the image’s command:

  1. steps:
  2.   - image: ubuntu
  3.     command: ["/bin/bash"]
  4.     args: ["-c", "echo hello $FOO"]
  5.     env:
  6.       - name: "FOO"
  7.         value: "world"