Bind admin role so that SA can use PSP

[fiunchinho]

Changes

Examples fail because the ServiceAccount used has no permissions to use the PodSecurityPolicy. We need to bind the admin role to the ServiceAccount so that it can use the PSP.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

[tekton-robot]

@fiunchinho: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Jose Armesto (458542e)

[tekton-robot]

Hi @fiunchinho. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dibyom]

/ok-to-test

[dibyom]

Instead of adding a binding to the admin role, could we add the rule of using pod security policies to the role defined above in this file?

[dibyom]

Question: Is this needed due to #862?

Also, /cc @gabemontero our resident PSP expert!

[gabemontero]

Question: Is this needed due to #862?

Yes I believe it is @dibyom .... the slack discussion thread we've had with these folks on their issue is https://tektoncd.slack.com/archives/CKUSJ2A5D/p1607949867225500

Subsequent to getting this to work for them, I am curious how long triggers has been broke with PSP turned on. Or if it ever worked with PSP turned on. I would think it had worked with PSP sometime in the past but am not certain. If it did, that might mean something changed in the image or controller to necessitate these changes.

By comparison, the PSP analogous feature in openshift, SCC, (which is what I typically run with), has not seen this (unless we need to retry with the very latest ... it has been a couple of weeks for me). @savitaashture attested to the same experience.

Also, /cc @gabemontero our resident PSP expert!

oooh, that is a very dangerous characterization man ;-) .... "expert" at best is a relative term here :-)

[dibyom]

Subsequent to getting this to work for them, I am curious how long triggers has been broke with PSP turned on. Or if it ever worked with PSP turned on. I would think it had worked with PSP sometime in the past but am not certain. If it did, that might mean something changed in the image or controller to necessitate these changes.

well, #862 got merged yesterday so I'm guessing since then 😛 The conroller/webhook already had roles to use PSPs. The EL sink deployment did not have this role, but the deployment spec also did not have a securityContext (until yesterday).

[gabemontero]

Subsequent to getting this to work for them, I am curious how long triggers has been broke with PSP turned on. Or if it ever worked with PSP turned on. I would think it had worked with PSP sometime in the past but am not certain. If it did, that might mean something changed in the image or controller to necessitate these changes.

well, #862 got merged yesterday so I'm guessing since then stuck_out_tongue The conroller/webhook already had roles to use PSPs. The EL sink deployment did not have this role, but the deployment spec also did not have a securityContext (until yesterday).

the opposite actually ... I suggested that to them, along with this PR, to help get past this ... basically mimic what we do for the controller / webhook ... they were seeing the issue before that merged

[dibyom]

Makes sense. controllers/webhook had the right policies/securityContext while EL sinks did not. So in environments requiring PSPs, the controller/webhook would work but not the EL.

[MarcelMue]

I will take over this PR from @fiunchinho - he is currently on vacation but I'd like to push this forward in the meantime.

[dibyom]

I will take over this PR from @fiunchinho - he is currently on vacation but I'd like to push this forward in the meantime.

Thank you 🙏

[fiunchinho]

Addressed review comment, please take a look. Thanks.

[dibyom]

Looks good. One small thing -- could you squash up the two commits? Thanks!

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dibyom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fiunchinho]

Looks good. One small thing -- could you squash up the two commits? Thanks!

/approve

Done

[dibyom]

/lgtm

[MarcelMue]

Nice 🎉