From dac55474258a5b4a506cff9ffcd1aab136e1ff7c Mon Sep 17 00:00:00 2001 From: gabemontero Date: Tue, 11 Aug 2020 09:24:36 -0400 Subject: [PATCH] WIP: port https://github.com/tektoncd/pipeline/pull/2967 to triggers --- config/101-podsecuritypolicy.yaml | 2 +- config/200-clusterrole.yaml | 4 ---- config/200-role.yaml | 26 ++++++++++++++++++++++++++ config/201-rolebinding.yaml | 29 +++++++++++++++++++++++++++++ config/controller.yaml | 3 +++ config/webhook.yaml | 3 +++ 6 files changed, 62 insertions(+), 5 deletions(-) create mode 100644 config/200-role.yaml create mode 100644 config/201-rolebinding.yaml diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml index 66a1c29d9..5a96cb043 100644 --- a/config/101-podsecuritypolicy.yaml +++ b/config/101-podsecuritypolicy.yaml @@ -30,7 +30,7 @@ spec: hostIPC: false hostPID: false runAsUser: - rule: 'RunAsAny' + rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml index 7fdef71df..4590885b9 100644 --- a/config/200-clusterrole.yaml +++ b/config/200-clusterrole.yaml @@ -35,7 +35,3 @@ rules: - apiGroups: ["triggers.tekton.dev"] resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status", "triggers/status"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-triggers"] - verbs: ["use"] diff --git a/config/200-role.yaml b/config/200-role.yaml new file mode 100644 index 000000000..0bde307b6 --- /dev/null +++ b/config/200-role.yaml @@ -0,0 +1,26 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-triggers-admin + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-triggers"] + verbs: ["use"] diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml new file mode 100644 index 000000000..a58d5d371 --- /dev/null +++ b/config/201-rolebinding.yaml @@ -0,0 +1,29 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-triggers-controller-admin + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers +subjects: + - kind: ServiceAccount + name: tekton-triggers-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-triggers-admin + apiGroup: rbac.authorization.k8s.io diff --git a/config/controller.yaml b/config/controller.yaml index d496df19e..70305da9e 100644 --- a/config/controller.yaml +++ b/config/controller.yaml @@ -52,6 +52,9 @@ spec: containers: - name: tekton-triggers-controller image: "ko://github.com/tektoncd/triggers/cmd/controller" + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1001 args: [ "-logtostderr", "-stderrthreshold", "INFO", diff --git a/config/webhook.yaml b/config/webhook.yaml index a3f5a0bfc..158df49a9 100644 --- a/config/webhook.yaml +++ b/config/webhook.yaml @@ -54,6 +54,9 @@ spec: # This is the Go import path for the binary that is containerized # and substituted here. image: "ko://github.com/tektoncd/triggers/cmd/webhook" + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1001 env: - name: SYSTEM_NAMESPACE valueFrom: