diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
index 66a1c29d95..5a96cb043e 100644
--- a/config/101-podsecuritypolicy.yaml
+++ b/config/101-podsecuritypolicy.yaml
@@ -30,7 +30,7 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
- rule: 'RunAsAny'
+ rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index 7fdef71dfd..4590885b90 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -35,7 +35,3 @@ rules:
- apiGroups: ["triggers.tekton.dev"]
resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status", "triggers/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- - apiGroups: ["policy"]
- resources: ["podsecuritypolicies"]
- resourceNames: ["tekton-triggers"]
- verbs: ["use"]
diff --git a/config/200-role.yaml b/config/200-role.yaml
new file mode 100644
index 0000000000..0bde307b64
--- /dev/null
+++ b/config/200-role.yaml
@@ -0,0 +1,26 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-triggers-admin
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+rules:
+ - apiGroups: ["policy"]
+ resources: ["podsecuritypolicies"]
+ resourceNames: ["tekton-triggers"]
+ verbs: ["use"]
diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
new file mode 100644
index 0000000000..a58d5d3716
--- /dev/null
+++ b/config/201-rolebinding.yaml
@@ -0,0 +1,29 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-triggers-controller-admin
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-triggers
+subjects:
+ - kind: ServiceAccount
+ name: tekton-triggers-controller
+ namespace: tekton-pipelines
+roleRef:
+ kind: Role
+ name: tekton-triggers-admin
+ apiGroup: rbac.authorization.k8s.io
diff --git a/config/controller.yaml b/config/controller.yaml
index d496df19eb..70305da9e1 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -52,6 +52,9 @@ spec:
containers:
- name: tekton-triggers-controller
image: "ko://github.com/tektoncd/triggers/cmd/controller"
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsUser: 1001
args: [
"-logtostderr",
"-stderrthreshold", "INFO",
diff --git a/config/webhook.yaml b/config/webhook.yaml
index a3f5a0bfc5..158df49a98 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -54,6 +54,9 @@ spec:
# This is the Go import path for the binary that is containerized
# and substituted here.
image: "ko://github.com/tektoncd/triggers/cmd/webhook"
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsUser: 1001
env:
- name: SYSTEM_NAMESPACE
valueFrom: