From 90ba36206270f09e5d6bfcbe58fde4babd300341 Mon Sep 17 00:00:00 2001 From: Yihong Wang Date: Thu, 26 Jan 2023 09:49:11 -0800 Subject: [PATCH] Add securitycontext for k8s 1.25 For k8s 1.25, a securityContext definition is needed for a pod. Add proper security context to pipelineloop controler and webhook Signed-off-by: Yihong Wang --- .../pipeline-loops/500-controller.yaml | 10 ++++++++++ .../tekton-custom-task/pipeline-loops/500-webhook.yaml | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml index 9b71b96479..4b4ee86391 100644 --- a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml @@ -54,3 +54,13 @@ spec: value: config-observability - name: METRICS_DOMAIN value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml index 08b5728f93..a75b88c43d 100644 --- a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml @@ -64,6 +64,16 @@ spec: containerPort: 8008 - name: https-webhook containerPort: 8443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service