service-ca pod run as non-root

[sallyom]

Signed-off-by: Sally O'Malley somalley@redhat.com

NOTE In order for service-ca to run with non-root, have to modify the signing-bundle and TLS crt,key volumes to be a configmap & secret, otherwise the non-root uid in the pod can't access the service-ca.crt, tls.crt, tls.key files it needs. Also, the OCP cluster-policy-controller must be running.

This PR depends on
#504 (service-ca volumes as CA configmap, TLS secret)
#478 (cluster-policy-controller)
Closes #

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from sallyom after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cooktheryan]

/retest

[cooktheryan]

/retest

[sallyom]

this will fail until #478 merges

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-ci]

@sallyom: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sallyom]

closing, no longer needed