Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level #1477

dibyom · 2022-11-02T20:13:51Z

Changes

There are two commits which are both required for Triggers to work with Pipelines v0.41 which requires Kubernetes 1.23.

Use cos_containerd gke image for e2e tests

This commit updates our plumbing dependency to pull in tektoncd/plumbing#1251 which updates the GKE image to cos_containerd. The older cos image is no longer supported as of GKE v1.23.

Part of #1475

Replace PodSecurityPolicy with PodSecurityAdmission

This commit drops the Triggers PodSecurityPolicy since its deprecated and is
going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission.

In addition, it adds the securityContext required for the "restricted"
PodSecurityAdmission levels. These changes are necessary for Triggers to work
with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started
enforcing the restricted pod security level for all pods in the
tekton-pipelines namespace (which includes the triggers controller, webhook,
and core interceptor deployments).

Fixes #1447 and required for #1475

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

Includes tests (if functionality changed/added)
Includes docs (if user facing)
Commit messages follow commit message best practices
Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

action required:  If using Kubernetes 1.22, set PodSecurity flag to true to enforce a restricted pod security level in Tekton namespaces. See https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features for more information.

E2E tests now use cos_containerd image instead of the unsupported cos image

This commit updates our plumbing dependency to pull in tektoncd/plumbing#1251 which updates the GKE image to cos_containerd. The older cos image is no longer supported as of GKE v1.23. Part of tektoncd#1475 Signed-off-by: Dibyo Mukherjee <[email protected]>

dibyom · 2022-11-02T22:35:37Z

Running into PSP issues:

tekton-pipelines             26m         Warning   FailedGetResourceMetric   horizontalpodautoscaler/tekton-pipelines-webhook                     no recommendation
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-g4gpb" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-tkv9h" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-9fd8q" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-4sk4w" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-8c9bx" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-x9ljg" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-4gfkw" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-w2rqv" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-74px6" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             14m         Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     (combined from similar events): Error creating: pods "tekton-triggers-controller-7887549bc5-htzd7" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             3m50s       Warning   FailedCreate              replicaset/tekton-triggers-controller-7887549bc5                     Error creating: pods "tekton-triggers-controller-7887549bc5-gr8gh" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-controller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-controller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Normal    ScalingReplicaSet         deployment/tekton-triggers-controller                                Scaled up replica set tekton-triggers-controller-7887549bc5 to 1
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-r9t88" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-hdsgb" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-d5frk" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-dmbs7" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-xhwcn" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-pjlxn" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-fcthd" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-bpvpb" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-xlvf7" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             14m         Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              (combined from similar events): Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-xtxz6" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             3m30s       Warning   FailedCreate              replicaset/tekton-triggers-core-interceptors-5cdb877c4b              Error creating: pods "tekton-triggers-core-interceptors-5cdb877c4b-4s9h9" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "tekton-triggers-core-interceptors" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "tekton-triggers-core-interceptors" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "tekton-triggers-core-interceptors" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Normal    ScalingReplicaSet         deployment/tekton-triggers-core-interceptors                         Scaled up replica set tekton-triggers-core-interceptors-5cdb877c4b to 1
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-7dgsb" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-ghl4p" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-2w94v" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-wlwgs" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-nblcd" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-84lpz" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-rfjxw" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-j2tv6" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             25m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-xcnfw" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             14m         Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        (combined from similar events): Error creating: pods "tekton-triggers-webhook-7464568dfc-wrdkf" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
tekton-pipelines             3m50s       Warning   FailedCreate              replicaset/tekton-triggers-webhook-7464568dfc                        Error creating: pods "tekton-triggers-webhook-7464568dfc-vfgrz" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

This commit drops the Triggers PodSecurityPolicy since its deprecated and is going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission. In addition, it adds the `securityContext` required for the "restricted" PodSecurityAdmission levels. These changes are necessary for Triggers to work with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started enforcing the restricted pod security level for all pods in the `tekton-pipelines` namespace (which includes the triggers controller, webhook, and core interceptor deployments). Fixes tektoncd#1447 and required for tektoncd#1475 Signed-off-by: Dibyo Mukherjee <[email protected]>

tekton-robot · 2022-11-04T13:16:07Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: savitaashture

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [savitaashture]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

savitaashture

🎉

/lgtm

seunggs · 2022-12-04T15:48:34Z

@dibyom I apologize if this is the wrong place to provide feedback on this ticket, but I'm still getting this error on k8s v1.24, pipelines v0.42 and triggers v0.22 (I can confirm that securityContext fix is present in tekton-triggers-controller and -webhook):

Warning  FailedCreate  47s (x7 over 3m29s)  replicaset-controller  (combined from similar events): Error creating: pods "el-pulumi-el-8bc4bf7-nxznb" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "event-listener" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

dibyom · 2022-12-05T17:48:45Z

@seunggs are you running an eventlistener in the tekton-pipelines namespace?

dcshiman · 2022-12-05T17:55:06Z

@seunggs are you running an eventlistener in the tekton-pipelines namespace?

@dibyom I'm facing the same issue, running in tekton-pipelines namespace

seunggs · 2022-12-05T18:06:09Z

@dibyom Yes, tekton-pipelines namespace

dibyom · 2022-12-05T18:15:01Z

ok - a quick workaround will be to run your EL in a different namespace till we add a fix

seunggs · 2022-12-05T18:17:13Z

@dibyom thanks - I've just changed the tekton-pipelines namespace setting: enforce -> warning for now and I was able to create the el. I'll revert to enforce once this is fixed. Thanks for your prompt attention to this!

dcshiman · 2022-12-05T18:38:17Z

ok - a quick workaround will be to run your EL in a different namespace till we add a fix

thanks for the prompt replies @dibyom, my temp solution is to set

apiVersion: v1
kind: Namespace
metadata:
  name: tekton-pipelines
...
  labels:
-      pod-security.kubernetes.io/enforce: restricted
+      pod-security.kubernetes.io/enforce: baseline
+      pod-security.kubernetes.io/warn: restricted
...

tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Nov 2, 2022

tekton-robot requested review from savitaashture and wlynch November 2, 2022 20:13

tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 2, 2022

dibyom force-pushed the cos branch from ade0f87 to f2e5f0e Compare November 2, 2022 21:23

tekton-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 2, 2022

dibyom mentioned this pull request Nov 2, 2022

Migrate Triggers e2e test to kind tektoncd/plumbing#1252

Merged

2 tasks

tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 3, 2022

dibyom changed the title ~~Use cos_containerd gke image for e2e tests~~ Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level Nov 3, 2022

dibyom force-pushed the cos branch from c0f697d to 28bfb0f Compare November 3, 2022 15:54

dibyom mentioned this pull request Nov 3, 2022

Modify e2e test scripts to support running on kind #1476

Merged

4 tasks

bradbeck mentioned this pull request Nov 3, 2022

Update Tekton Pipeline v0.38.2 -> v0.41.0 buildsec/frsca#360

Closed

savitaashture approved these changes Nov 4, 2022

View reviewed changes

tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 4, 2022

savitaashture reviewed Nov 4, 2022

View reviewed changes

tekton-robot assigned savitaashture Nov 4, 2022

tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 4, 2022

tekton-robot merged commit ce7b976 into tektoncd:main Nov 4, 2022

dibyom deleted the cos branch November 7, 2022 15:05

dibyom added the kind/bug Categorizes issue or PR as related to a bug. label Nov 16, 2022

dibyom mentioned this pull request Dec 5, 2022

EventListeners do not have correct SecurityContext to run in tekton-pipelines namespace #1490

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level #1477

Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level #1477

dibyom commented Nov 2, 2022 •

edited

Loading

dibyom commented Nov 2, 2022

tekton-robot commented Nov 4, 2022

savitaashture left a comment

seunggs commented Dec 4, 2022 •

edited

Loading

dibyom commented Dec 5, 2022

dcshiman commented Dec 5, 2022 •

edited

Loading

seunggs commented Dec 5, 2022

dibyom commented Dec 5, 2022

seunggs commented Dec 5, 2022 •

edited

Loading

dcshiman commented Dec 5, 2022

Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level #1477

Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level #1477

Conversation

dibyom commented Nov 2, 2022 • edited Loading

Changes

Submitter Checklist

Release Notes

dibyom commented Nov 2, 2022

tekton-robot commented Nov 4, 2022

savitaashture left a comment

Choose a reason for hiding this comment

seunggs commented Dec 4, 2022 • edited Loading

dibyom commented Dec 5, 2022

dcshiman commented Dec 5, 2022 • edited Loading

seunggs commented Dec 5, 2022

dibyom commented Dec 5, 2022

seunggs commented Dec 5, 2022 • edited Loading

dcshiman commented Dec 5, 2022

dibyom commented Nov 2, 2022 •

edited

Loading

seunggs commented Dec 4, 2022 •

edited

Loading

dcshiman commented Dec 5, 2022 •

edited

Loading

seunggs commented Dec 5, 2022 •

edited

Loading