diff --git a/pkg/reconciler/eventlistener/eventlistener_test.go b/pkg/reconciler/eventlistener/eventlistener_test.go index 6416215d98..01de0926df 100644 --- a/pkg/reconciler/eventlistener/eventlistener_test.go +++ b/pkg/reconciler/eventlistener/eventlistener_test.go @@ -274,6 +274,19 @@ func makeDeployment(ops ...func(d *appsv1.Deployment)) *appsv1.Deployment { Name: "METRICS_PROMETHEUS_PORT", Value: "9000", }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.Bool(true), @@ -422,6 +435,19 @@ func makeWithPod(ops ...func(d *duckv1.WithPod)) *duckv1.WithPod { Name: "METRICS_PROMETHEUS_PORT", Value: "9000", }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ diff --git a/pkg/reconciler/eventlistener/resources/container.go b/pkg/reconciler/eventlistener/resources/container.go index 697cd29706..b8d8d4a107 100644 --- a/pkg/reconciler/eventlistener/resources/container.go +++ b/pkg/reconciler/eventlistener/resources/container.go @@ -23,6 +23,7 @@ import ( "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" corev1 "k8s.io/api/core/v1" reconcilersource "knative.dev/eventing/pkg/reconciler/source" + "knative.dev/pkg/ptr" ) type ContainerOption func(*corev1.Container) @@ -79,6 +80,19 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA Name: "K_SINK_TIMEOUT", Value: strconv.FormatInt(*c.TimeOutHandler, 10), }}...), + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, } for _, opt := range opts { diff --git a/pkg/reconciler/eventlistener/resources/container_test.go b/pkg/reconciler/eventlistener/resources/container_test.go index 6738572954..85c09f36a2 100644 --- a/pkg/reconciler/eventlistener/resources/container_test.go +++ b/pkg/reconciler/eventlistener/resources/container_test.go @@ -26,6 +26,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" reconcilersource "knative.dev/eventing/pkg/reconciler/source" + "knative.dev/pkg/ptr" ) func TestContainer(t *testing.T) { @@ -82,6 +83,19 @@ func TestContainer(t *testing.T) { Name: "K_SINK_TIMEOUT", Value: strconv.FormatInt(DefaultTimeOutHandler, 10), }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, { name: "with resources option", @@ -143,6 +157,19 @@ func TestContainer(t *testing.T) { Name: "K_SINK_TIMEOUT", Value: strconv.FormatInt(DefaultTimeOutHandler, 10), }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, { name: "with env option", @@ -183,6 +210,19 @@ func TestContainer(t *testing.T) { Name: "BAR", Value: "food", }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, { name: "with namespace selector", @@ -232,6 +272,19 @@ func TestContainer(t *testing.T) { Name: "K_SINK_TIMEOUT", Value: strconv.FormatInt(DefaultTimeOutHandler, 10), }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, { name: "without payload validation", @@ -283,6 +336,19 @@ func TestContainer(t *testing.T) { Name: "K_SINK_TIMEOUT", Value: strconv.FormatInt(DefaultTimeOutHandler, 10), }}, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + // 65532 is the distroless nonroot user ID + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + RunAsNonRoot: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }} diff --git a/pkg/reconciler/eventlistener/resources/custom_test.go b/pkg/reconciler/eventlistener/resources/custom_test.go index d1c945612b..cc69314faa 100644 --- a/pkg/reconciler/eventlistener/resources/custom_test.go +++ b/pkg/reconciler/eventlistener/resources/custom_test.go @@ -157,6 +157,15 @@ func TestCustomObject(t *testing.T) { "protocol": "TCP", }, }, + "securityContext": map[string]interface{}{ + "allowPrivilegeEscalation": false, + "capabilities": map[string]interface{}{ + "drop": []interface{}{string("ALL")}}, + "runAsGroup": int64(65532), + "runAsNonRoot": bool(true), + "runAsUser": int64(65532), + "seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")}, + }, "resources": map[string]interface{}{}, "readinessProbe": map[string]interface{}{ "httpGet": map[string]interface{}{ @@ -224,6 +233,15 @@ func TestCustomObject(t *testing.T) { "protocol": "TCP", }, }, + "securityContext": map[string]interface{}{ + "allowPrivilegeEscalation": false, + "capabilities": map[string]interface{}{ + "drop": []interface{}{string("ALL")}}, + "runAsGroup": int64(65532), + "runAsNonRoot": bool(true), + "runAsUser": int64(65532), + "seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")}, + }, "resources": map[string]interface{}{}, "readinessProbe": map[string]interface{}{ "httpGet": map[string]interface{}{ @@ -292,6 +310,15 @@ func TestCustomObject(t *testing.T) { "cpu": "101m", }, }, + "securityContext": map[string]interface{}{ + "allowPrivilegeEscalation": false, + "capabilities": map[string]interface{}{ + "drop": []interface{}{string("ALL")}}, + "runAsGroup": int64(65532), + "runAsNonRoot": bool(true), + "runAsUser": int64(65532), + "seccompProfile": map[string]interface{}{"type": string("RuntimeDefault")}, + }, "readinessProbe": map[string]interface{}{ "httpGet": map[string]interface{}{ "path": "/live",