From c0f697dcd711d6250e8c02dd661455f1232c6097 Mon Sep 17 00:00:00 2001
From: Dibyo Mukherjee <dibyo@google.com>
Date: Wed, 2 Nov 2022 22:14:37 -0400
Subject: [PATCH] Replace PodSecurityPolicy with PodSecurityAdmission

This commit drops the Triggers PodSecurityPolicy since its deprecated and is
going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission.

In addition, it adds the `securityContext` required for the "restricted"
PodSecurityAdmission levels. These changes are necessary for Triggers to work
with Pipelines v0.41 and higher because tektoncd/pipeline#5652  started
enforcing the restricted pod security level for all pods in the
`tekton-pipelines` namespace (which includes the triggers controller, webhook,
and core interceptor deployments).

Fixes #1447 and required for #1475

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
---
 config/101-podsecuritypolicy.yaml             | 45 -------------------
 config/200-clusterrole.yaml                   |  4 --
 config/200-role.yaml                          | 24 ----------
 config/201-rolebinding.yaml                   | 18 --------
 config/controller.yaml                        |  8 ++++
 .../core-interceptors-deployment.yaml         |  5 ++-
 config/webhook.yaml                           |  8 ++++
 7 files changed, 20 insertions(+), 92 deletions(-)
 delete mode 100644 config/101-podsecuritypolicy.yaml

diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
deleted file mode 100644
index 5a96cb043e..0000000000
--- a/config/101-podsecuritypolicy.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-# Copyright 2019 The Tekton Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: tekton-triggers
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-triggers
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  volumes:
-  - 'emptyDir'
-  - 'configMap'
-  - 'secret'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index 6d71e37d49..ec90481c94 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -103,10 +103,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["impersonate"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]
diff --git a/config/200-role.yaml b/config/200-role.yaml
index 42a4145ee6..9dedc045ab 100644
--- a/config/200-role.yaml
+++ b/config/200-role.yaml
@@ -18,22 +18,6 @@
 # EventListener is what should be done.  While not as simple, it avoids
 # giving access to K8S system level, cluster admin privileged level Secrets
 
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tekton-triggers-admin
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-triggers
-rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
-
----
-
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -43,10 +27,6 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
 rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
@@ -62,10 +42,6 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
 rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-triggers"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "list", "watch"]
diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
index 9d220d5747..f1ad8d46cf 100644
--- a/config/201-rolebinding.yaml
+++ b/config/201-rolebinding.yaml
@@ -12,24 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: tekton-triggers-controller-admin
-  namespace: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-triggers
-subjects:
-  - kind: ServiceAccount
-    name: tekton-triggers-controller
-    namespace: tekton-pipelines
-roleRef:
-  kind: Role
-  name: tekton-triggers-admin
-  apiGroup: rbac.authorization.k8s.io
-
----
 
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/config/controller.yaml b/config/controller.yaml
index e8487a09d5..b2a0630463 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -86,5 +86,13 @@ spec:
           value: "9000"
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"          
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+ 
diff --git a/config/interceptors/core-interceptors-deployment.yaml b/config/interceptors/core-interceptors-deployment.yaml
index 6c7036995b..82d853f935 100644
--- a/config/interceptors/core-interceptors-deployment.yaml
+++ b/config/interceptors/core-interceptors-deployment.yaml
@@ -85,9 +85,12 @@ spec:
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
           capabilities:
             drop:
-            - all
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
 ---
 apiVersion: v1
 kind: Service
diff --git a/config/webhook.yaml b/config/webhook.yaml
index 282783e741..7f66aa4ff0 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -76,3 +76,11 @@ spec:
           allowPrivilegeEscalation: false
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
+