search

tektoncd / triggers

Event triggering with Tekton!
Apache License 2.0
557 stars 419 forks source link

Add SecurityContext to Eventlistener containers under el-security-context flag #1563

Closed savitaashture closed 1 year ago

savitaashture commented 1 year ago

Changes

As part of this PR https://github.com/tektoncd/triggers/pull/1494 we introduced SecurityContext for Eventlistener containers But for Openshift its not working so adding condition check to set SecurityContext for Eventlistener containers Reason: On Openshift cluster when we install Triggers EL container failed to start with below error

message: >-
        pods "el-listener-embed-binding-7b6bc5d595-" is forbidden: unable to
        validate against any security context constraint: [provider "anyuid":
        Forbidden: not usable by user or serviceaccount,
        pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/event-listener]:
        Forbidden: seccomp may not be set,
        spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must
        be in the ranges: [1001190000, 1001199999], provider "restricted":
        Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
        Forbidden: not usable by user or serviceaccount, provider "nonroot":
        Forbidden: not usable by user or serviceaccount, provider
        "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
        provider "machine-api-termination-handler": Forbidden: not usable by
        user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable
        by user or serviceaccount, provider "hostnetwork": Forbidden: not usable
        by user or serviceaccount, provider "hostaccess": Forbidden: not usable
        by user or serviceaccount, provider "node-exporter": Forbidden: not
        usable by user or serviceaccount, provider "privileged": Forbidden: not
        usable by user or serviceaccount]

It doesn't allow to set that's why added SecurityContext to Eventlistener containers under el-security-context flag which is True by default so it won't create any issue for K8S

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you review them:

See the contribution guide for more details.

Release Notes

savitaashture commented 1 year ago

We also need this for 0.23.x

savitaashture commented 1 year ago

/retest

tekton-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/tektoncd/triggers/blob/main/OWNERS)~~ [khrm] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
savitaashture commented 1 year ago

/test pull-tekton-triggers-integration-tests

dibyom commented 1 year ago

/lgtm