Replace PodSecurityPolicy with PodSecurityAdmission

This commit drops the Triggers PodSecurityPolicy since its deprecated and is going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission. In addition, it adds the `securityContext` required for the "restricted" PodSecurityAdmission levels. These changes are necessary for Triggers to work with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started enforcing the restricted pod security level for all pods in the `tekton-pipelines` namespace (which includes the triggers controller, webhook, and core interceptor deployments). Fixes tektoncd#1447 and required for tektoncd#1475 Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
dibyom · Nov 3, 2022 · c0f697d · c0f697d
1 parent f2e5f0e
commit c0f697d
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 92 deletions.
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -103,10 +103,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["impersonate"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]

diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -18,22 +18,6 @@
 # EventListener is what should be done.  While not as simple, it avoids
 # giving access to K8S system level, cluster admin privileged level Secrets
 
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tekton-triggers-admin
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-triggers
-rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
-
----
-
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -43,10 +27,6 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
 rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
@@ -62,10 +42,6 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
 rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "list", "watch"]

diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
@@ -12,24 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: tekton-triggers-controller-admin
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-triggers
-subjects:
-  - kind: ServiceAccount
-    name: tekton-triggers-controller
-    namespace: tekton-pipelines
-roleRef:
-  kind: Role
-  name: tekton-triggers-admin
-  apiGroup: rbac.authorization.k8s.io
-
----
 
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

diff --git a/config/controller.yaml b/config/controller.yaml
@@ -86,5 +86,13 @@ spec:
           value: "9000"
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"          
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+
diff --git a/config/interceptors/core-interceptors-deployment.yaml b/config/interceptors/core-interceptors-deployment.yaml
@@ -85,9 +85,12 @@ spec:
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
           capabilities:
             drop:
-            - all
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
 ---
 apiVersion: v1
 kind: Service

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -76,3 +76,11 @@ spec:
           allowPrivilegeEscalation: false
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
+