Resolve PodSecurityAdmission restrictions on 1.23+ for deprecated Pod…

…SecurityPolicy This commit fixes the issue where the securityContext are not restricted in PodSecurityAdmission(PSA). This removes the PodSeucrityPolicy, which is deprecated in Kubernetes v1.21 and removed from v1.25. This adds to the PSA restricted label with respective policies enforced by PSP but not covered by the restricted standard of PSA.
tektoncd · Oct 18, 2022 · 9694410 · 9694410
1 parent 2b5b3bc
commit 9694410
Show file tree

Hide file tree

Showing 8 changed files with 20 additions and 72 deletions.
diff --git a/config/100-namespace/100-namespace.yaml b/config/100-namespace/100-namespace.yaml
@@ -19,3 +19,4 @@ metadata:
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -117,10 +117,6 @@ rules:
     # When there are changes to the configs or secrets, knative updates the validatingwebhook config
     # with the updated certificates or the refreshed set of rules.
     verbs: ["get", "update", "delete"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get"]

diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -30,10 +30,6 @@ rules:
     resources: ["configmaps"]
     verbs: ["get"]
     resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -63,10 +59,6 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "update"]
     resourceNames: ["webhook-certs"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/config/controller.yaml b/config/controller.yaml
@@ -122,10 +122,13 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - "ALL"
           # User 65532 is the nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - name: metrics
           containerPort: 9090

diff --git a/config/resolvers/resolvers-deployment.yaml b/config/resolvers/resolvers-deployment.yaml
@@ -101,4 +101,6 @@ spec:
           runAsNonRoot: true
           capabilities:
             drop:
-            - all
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -111,10 +111,13 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - "ALL"
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - name: metrics
           containerPort: 9090

diff --git a/kind1.23.yaml b/kind1.23.yaml
@@ -0,0 +1,8 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: kind1.23.12
+nodes:
+- role: control-plane
+  image: kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a
+- role: worker
+  image: kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a