Adopt the :nonroot base image (#2429)

.ko.yaml

@@ -0,0 +1,2 @@
+# Use :nonroot base image for all containers
+defaultBaseImage: gcr.io/distroless/static:nonroot

config/channels/in-memory-channel/500-controller.yaml

@@ -33,6 +33,7 @@ spec:
       containers:
       - name: controller
         image: knative.dev/eventing/cmd/in_memory/channel_controller
+
         env:
           - name: CONFIG_LOGGING_NAME
             value: config-logging
@@ -44,13 +45,12 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
-          - containerPort: 9090
-            name: metrics
-        volumeMounts:
-          - name: config-logging
-            mountPath: /etc/config-logging
-      volumes:
-        - name: config-logging
-          configMap:
-            name: config-logging
+        - name: metrics
+          containerPort: 9090
+        - name: profiling
+          containerPort: 8008

config/core/deployments/controller.yaml

@@ -59,6 +59,9 @@ spec:
           - name: BROKER_IMAGE_PULL_SECRET_NAME
             value:
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
         - name: metrics
           containerPort: 9090

config/core/deployments/sources-controller.yaml

@@ -62,6 +62,9 @@ spec:
             # that is containerized and substituted here.
             value: knative.dev/eventing/cmd/apiserver_receive_adapter
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
           - name: metrics
             containerPort: 9090

config/core/deployments/webhook.yaml

@@ -61,6 +61,9 @@ spec:
         - name: WEBHOOK_NAME
           value: eventing-webhook
 
+        securityContext:
+          allowPrivilegeEscalation: false
+
         ports:
         - name: https-webhook
           containerPort: 8443