fix(gate): fixes securityContext

This patch fixes the securityContext for the tekton-pipeline charts to unclog a gate failure. Signed-off-by: Tin Lam <tin@irrational.io> Change-Id: I5a44f6ecd92c0800aa9f43206fd2c7621d7ac260
2021-03-09 10:09:54 -06:00 · 2021-03-09 10:09:54 -06:00 · 930ff2db04
parent e30a406416
commit 930ff2db04
3 changed files with 12 additions and 14 deletions
--- a/charts/tekton-pipelines/templates/deployment-controller.yaml
+++ b/charts/tekton-pipelines/templates/deployment-controller.yaml
@ -73,8 +73,12 @@ spec:
        - name: METRICS_DOMAIN
          value: {{ $.Values.controller.conf.metrics_domain }}
        securityContext:
-          allowPrivilegeEscalation: {{ $.Values.controller.pod.security_context.container.tekton_pipelines_controller.allowPrivilegeEscalation }}
-          runAsUser: {{ $.Values.controller.pod.security_context.container.tekton_pipelines_controller.runAsUser }}
+          allowPrivilegeEscalation: false
+          runAsUser: 65532
+          runAsGroup: 65532
+          capabilities:
+            drop:
+              - all
      volumes:
      - name: config-logging
        configMap:
--- a/charts/tekton-pipelines/templates/deployment-webhook.yaml
+++ b/charts/tekton-pipelines/templates/deployment-webhook.yaml
@ -48,8 +48,12 @@ spec:
        - name: METRICS_DOMAIN
          value: {{ $.Values.webhook.conf.metrics_domain }}
        securityContext:
-          allowPrivilegeEscalation: {{ $.Values.webhook.pod.security_context.container.webhook.allowPrivilegeEscalation }}
-          runAsUser: {{ $.Values.webhook.pod.security_context.container.webhook.runAsUser }}
+          allowPrivilegeEscalation: false
+          runAsUser: 65532
+          runAsGroup: 65532
+          capabilities:
+            drop:
+              - all
        ports:
        - name: metrics
          containerPort: {{ $.Values.webhook.endpoints.ports.metrics.targetPort }}
--- a/charts/tekton-pipelines/values.yaml
+++ b/charts/tekton-pipelines/values.yaml
@ -74,11 +74,6 @@ controller:

  pod:
    replicas: 1
-    security_context:
-      container:
-        tekton_pipelines_controller:
-          runAsUser: 1001
-          allowPrivilegeEscalation: false

  conf:
    metrics_domain: tekton.dev/pipeline
@ -134,11 +129,6 @@ webhook:
        periodSeconds: 10
        timeoutSeconds: 1
    replicas: 1
-    security_context:
-      container:
-        webhook:
-          runAsUser: 1001
-          allowPrivilegeEscalation: false

  conf:
    metrics_domain: tekton.dev/pipeline