WIP: port tektoncd/pipeline#2967 to triggers

gabemontero · Sep 8, 2020 · dac5547 · dac5547
1 parent 52762e8
commit dac5547
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 5 deletions.
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
@@ -30,7 +30,7 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -35,7 +35,3 @@ rules:
   - apiGroups: ["triggers.tekton.dev"]
     resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status", "triggers/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -0,0 +1,26 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-triggers-admin
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-triggers"]
+    verbs: ["use"]
diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
@@ -0,0 +1,29 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-controller-admin
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-controller
+    namespace: tekton-pipelines
+roleRef:
+  kind: Role
+  name: tekton-triggers-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -52,6 +52,9 @@ spec:
       containers:
       - name: tekton-triggers-controller
         image: "ko://github.com/tektoncd/triggers/cmd/controller"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
         args: [
           "-logtostderr",
           "-stderrthreshold", "INFO",

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -54,6 +54,9 @@ spec:
         # This is the Go import path for the binary that is containerized
         # and substituted here.
         image: "ko://github.com/tektoncd/triggers/cmd/webhook"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom: