Skip to content

Commit

Permalink
Add SecurityContext to Eventlistener containers
Browse files Browse the repository at this point in the history
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes #1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
  • Loading branch information
dibyom committed Dec 14, 2022
1 parent b4a404d commit dc0d56b
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 0 deletions.
26 changes: 26 additions & 0 deletions pkg/reconciler/eventlistener/eventlistener_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,19 @@ func makeDeployment(ops ...func(d *appsv1.Deployment)) *appsv1.Deployment {
Name: "METRICS_PROMETHEUS_PORT",
Value: "9000",
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}},
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptr.Bool(true),
Expand Down Expand Up @@ -422,6 +435,19 @@ func makeWithPod(ops ...func(d *duckv1.WithPod)) *duckv1.WithPod {
Name: "METRICS_PROMETHEUS_PORT",
Value: "9000",
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
HTTPGet: &corev1.HTTPGetAction{
Expand Down
14 changes: 14 additions & 0 deletions pkg/reconciler/eventlistener/resources/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1"
corev1 "k8s.io/api/core/v1"
reconcilersource "knative.dev/eventing/pkg/reconciler/source"
"knative.dev/pkg/ptr"
)

type ContainerOption func(*corev1.Container)
Expand Down Expand Up @@ -79,6 +80,19 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA
Name: "K_SINK_TIMEOUT",
Value: strconv.FormatInt(*c.TimeOutHandler, 10),
}}...),
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}

for _, opt := range opts {
Expand Down
66 changes: 66 additions & 0 deletions pkg/reconciler/eventlistener/resources/container_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
reconcilersource "knative.dev/eventing/pkg/reconciler/source"
"knative.dev/pkg/ptr"
)

func TestContainer(t *testing.T) {
Expand Down Expand Up @@ -82,6 +83,19 @@ func TestContainer(t *testing.T) {
Name: "K_SINK_TIMEOUT",
Value: strconv.FormatInt(DefaultTimeOutHandler, 10),
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}, {
name: "with resources option",
Expand Down Expand Up @@ -143,6 +157,19 @@ func TestContainer(t *testing.T) {
Name: "K_SINK_TIMEOUT",
Value: strconv.FormatInt(DefaultTimeOutHandler, 10),
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}, {
name: "with env option",
Expand Down Expand Up @@ -183,6 +210,19 @@ func TestContainer(t *testing.T) {
Name: "BAR",
Value: "food",
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}, {
name: "with namespace selector",
Expand Down Expand Up @@ -232,6 +272,19 @@ func TestContainer(t *testing.T) {
Name: "K_SINK_TIMEOUT",
Value: strconv.FormatInt(DefaultTimeOutHandler, 10),
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}, {
name: "without payload validation",
Expand Down Expand Up @@ -283,6 +336,19 @@ func TestContainer(t *testing.T) {
Name: "K_SINK_TIMEOUT",
Value: strconv.FormatInt(DefaultTimeOutHandler, 10),
}},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
// 65532 is the distroless nonroot user ID
RunAsUser: ptr.Int64(65532),
RunAsGroup: ptr.Int64(65532),
RunAsNonRoot: ptr.Bool(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}}

Expand Down
27 changes: 27 additions & 0 deletions pkg/reconciler/eventlistener/resources/custom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,15 @@ func TestCustomObject(t *testing.T) {
"protocol": "TCP",
},
},
"securityContext": map[string]interface{}{
"allowPrivilegeEscalation": false,
"capabilities": map[string]interface{}{
"drop": []interface{}{string("ALL")}},
"runAsGroup": int64(65532),
"runAsNonRoot": bool(true),
"runAsUser": int64(65532),
"seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")},
},
"resources": map[string]interface{}{},
"readinessProbe": map[string]interface{}{
"httpGet": map[string]interface{}{
Expand Down Expand Up @@ -224,6 +233,15 @@ func TestCustomObject(t *testing.T) {
"protocol": "TCP",
},
},
"securityContext": map[string]interface{}{
"allowPrivilegeEscalation": false,
"capabilities": map[string]interface{}{
"drop": []interface{}{string("ALL")}},
"runAsGroup": int64(65532),
"runAsNonRoot": bool(true),
"runAsUser": int64(65532),
"seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")},
},
"resources": map[string]interface{}{},
"readinessProbe": map[string]interface{}{
"httpGet": map[string]interface{}{
Expand Down Expand Up @@ -292,6 +310,15 @@ func TestCustomObject(t *testing.T) {
"cpu": "101m",
},
},
"securityContext": map[string]interface{}{
"allowPrivilegeEscalation": false,
"capabilities": map[string]interface{}{
"drop": []interface{}{string("ALL")}},
"runAsGroup": int64(65532),
"runAsNonRoot": bool(true),
"runAsUser": int64(65532),
"seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")},
},
"readinessProbe": map[string]interface{}{
"httpGet": map[string]interface{}{
"path": "/live",
Expand Down

0 comments on commit dc0d56b

Please sign in to comment.