buildah: Report: Error during unshare(CLONE_NEWUSER): Operation not permitted in the non-privileged container of k8s

Hi all,

I need to run the buildah to build my source code on a shared kube cluster.

There are serval security policise and cannot run the container with privileged.

So when I running the buildah in the non-privileged container of k8s.

It reports the error:

...
time="2020-03-31T13:30:14Z" level=warning msg="The cgroups manager is set to systemd but there is no systemd user session available"
time="2020-03-31T13:30:14Z" level=warning msg="For using systemd, you may need to login using an user session"
time="2020-03-31T13:30:14Z" level=warning msg="Alternatively, you can enable lingering with: `loginctl enable-linger 1000` (possibly as root)"
time="2020-03-31T13:30:14Z" level=warning msg="Falling back to --cgroup-manager=cgroupfs"
Error during unshare(CLONE_NEWUSER): Operation not permitted
level=error msg="error parsing PID \"\": strconv.Atoi: parsing \"\": invalid syntax"
level=error msg="(unable to determine exit status)"
2020/03/31 13:30:14 Skipping step because a previous step failed
2020/03/31 13:30:15 Skipping step because a previous step failed
{"level":"info","ts":1585661399.569302,"caller":"creds-init/main.go:44","msg":"Credentials initialized."}

I also tried this --isolation=chroot parameter for buildah bud command, but doesn’t work.

And I asked open all allowedCapabilities also doesn’t work:

spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'

I run the buildah by using Tekton task: https://github.com/tektoncd/catalog/blob/master/buildah/buildah.yaml#L43

I saw there are many people had this problem before, but I didn’t see the final solution: https://github.com/containers/buildah/issues/1011

I think buildah should work like other builder like kaniko that can build without privileged.

Can someone help me?

Thanks a lot!