PodSecurityPolicy Config fixes to allow runnning in restricted envs.

Fixes #2966 1. Moves PSP rule from tekton-pipelines-controller-cluster-access ClusterRole to tekton-pipelines-controller Role. This reduces the scope of where the PSP can be used to prevent privilege escalation 2. Adds PSP rule to tekton-pipelines-webhook to allow the webhook to run when only restrice PSPs are provided 3. Update controller and webhook deployments to use... `runAsUser: 1001` instead of `runAsNonRoot: false` 4. Update tekton-pipelines PSP to use `runAsUser -- rule: 'MustRunAsNonRoot'` to further restrict the controller PSP 5. Added `allowPrivilegeEscalation: false` to the deployment template securityContext for tekton-pipelines-controller to match tekton-pipelines-webhook
tektoncd · Aug 4, 2020 · 9b2a92c · 9b2a92c
1 parent 28d1347
commit 9b2a92c
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
@@ -30,7 +30,7 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: 'MustRunAsNonRoot'
   seLinux:
     rule: 'RunAsAny'
   supplementalGroups:

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -39,10 +39,6 @@ rules:
   - apiGroups: ["tekton.dev"]
     resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -30,6 +30,10 @@ rules:
     resources: ["configmaps"]
     verbs: ["get"]
     resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -59,3 +63,7 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "update"]
     resourceNames: ["webhook-certs"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -100,6 +100,9 @@ spec:
           value: config-leader-election
         - name: METRICS_DOMAIN
           value: tekton.dev/pipeline
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1001
       volumes:
         - name: config-logging
           configMap:

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -82,6 +82,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          runAsUser: 1001
         ports:
         - name: metrics
           containerPort: 9090