From 784f5c2b5e8dfecee2b7969c8d057df55a93d042 Mon Sep 17 00:00:00 2001
From: gabemontero <gmontero@redhat.com>
Date: Mon, 23 Jan 2023 15:58:52 -0500
Subject: [PATCH] clear out tenant security context add scc needed to run
 tenant

---
 .../operators/minio/tenant/kustomization.yaml |  1 +
 .../minio/tenant/tenant-permissions.yaml      | 35 +++++++++++++++++++
 .../operators/minio/tenant/tenant.yaml        |  7 ++--
 .../pipeline-service-manager/role.yaml        |  8 +++++
 4 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 developer/openshift/operators/minio/tenant/tenant-permissions.yaml

diff --git a/developer/openshift/operators/minio/tenant/kustomization.yaml b/developer/openshift/operators/minio/tenant/kustomization.yaml
index e6653b6bf..1e744fce5 100644
--- a/developer/openshift/operators/minio/tenant/kustomization.yaml
+++ b/developer/openshift/operators/minio/tenant/kustomization.yaml
@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - tenant.yaml
+  - tenant-permissions.yaml
diff --git a/developer/openshift/operators/minio/tenant/tenant-permissions.yaml b/developer/openshift/operators/minio/tenant/tenant-permissions.yaml
new file mode 100644
index 000000000..9f6276376
--- /dev/null
+++ b/developer/openshift/operators/minio/tenant/tenant-permissions.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: minio
+  namespace: tekton-results
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: minio
+  namespace: tekton-results
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: minio
+  namespace: tekton-results
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: minio
+subjects:
+  - kind: ServiceAccount
+    name: minio
+    namespace: tekton-results
diff --git a/developer/openshift/operators/minio/tenant/tenant.yaml b/developer/openshift/operators/minio/tenant/tenant.yaml
index 583ed47c0..54d5702e5 100644
--- a/developer/openshift/operators/minio/tenant/tenant.yaml
+++ b/developer/openshift/operators/minio/tenant/tenant.yaml
@@ -44,7 +44,7 @@ spec:
   imagePullSecret: {}
   mountPath: /export
   subPath: ""
-  serviceAccountName: ""
+  serviceAccountName: "minio"
   pools:
     - servers: 1
       name: pool-0
@@ -67,8 +67,5 @@ spec:
             requests:
               storage: 1Gi
         status: {}
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000630001
-        runAsGroup: 1000630002
+      securityContext: {}
   requestAutoCert: true
diff --git a/operator/gitops/compute/pipeline-service-manager/role.yaml b/operator/gitops/compute/pipeline-service-manager/role.yaml
index 29c2912e5..79e652130 100644
--- a/operator/gitops/compute/pipeline-service-manager/role.yaml
+++ b/operator/gitops/compute/pipeline-service-manager/role.yaml
@@ -110,6 +110,14 @@ rules:
       - "get"
       - "create"
       - "update"
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
   - apiGroups:
       - pipelinesascode.tekton.dev
     resources: