Run controller and webhook also as non-root group. Drop capabilities.

[benhxy]

Changes

/kind misc
Containers running as root group or with excessive capabilities
have larger security impact if compromised. It is recommended
to run containers as non-root and drop unneeded capabilities.
Controller and Webhook are regular servers and don't need special
capabilities. This change is tested with master version on a GKE cluster.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

Reviewer Notes

If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.

NONE

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Ben Hu (6d6f48d)

[tekton-robot]

Hi @benhxy. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ghost]

/ok-to-test

[benhxy]

/assign @pritidesai

[benhxy]

/test check-pr-has-kind-label

[benhxy]

@vinayakankugoyal FYI

[dibyom]

/lgtm

/cc @vdemeester

Thanks! We should probably do this for the other deployments in Tekton too (triggers, operator, results)

[ghost]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbwsg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbwsg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vdemeester]

/lgtm

/cc @vdemeester

Thanks! We should probably do this for the other deployments in Tekton too (triggers, operator, results)

Agreed 😉 . This is another thing we will need to "mangle" for OpenShift Pipelines (because OpenShift does a lot of this on its own) but it is a really good thing to do !

/lgtm