From 969441059eaed6aff884c4e162772bd361314b9b Mon Sep 17 00:00:00 2001
From: Jerome Ju <jeromeju@google.com>
Date: Tue, 18 Oct 2022 13:54:05 +0000
Subject: [PATCH] Resolve PodSecurityAdmission restrictions on 1.23+ for
 deprecated PodSecurityPolicy

This commit fixes the issue where the securityContext are not restricted
in PodSecurityAdmission(PSA). This removes the PodSeucrityPolicy, which
is deprecated in Kubernetes v1.21 and removed from v1.25. This adds to the
PSA restricted label with respective policies enforced by PSP but not
covered by the restricted standard of PSA.
---
 config/100-namespace/100-namespace.yaml    |  1 +
 config/101-podsecuritypolicy.yaml          | 57 ----------------------
 config/200-clusterrole.yaml                |  4 --
 config/200-role.yaml                       |  8 ---
 config/controller.yaml                     |  5 +-
 config/resolvers/resolvers-deployment.yaml |  4 +-
 config/webhook.yaml                        |  5 +-
 kind1.23.yaml                              |  8 +++
 8 files changed, 20 insertions(+), 72 deletions(-)
 delete mode 100644 config/101-podsecuritypolicy.yaml
 create mode 100644 kind1.23.yaml

diff --git a/config/100-namespace/100-namespace.yaml b/config/100-namespace/100-namespace.yaml
index 5254a8ce20c..fd63f2979da 100644
--- a/config/100-namespace/100-namespace.yaml
+++ b/config/100-namespace/100-namespace.yaml
@@ -19,3 +19,4 @@ metadata:
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
deleted file mode 100644
index f5f602d6e9b..00000000000
--- a/config/101-podsecuritypolicy.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright 2019 The Tekton Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: tekton-pipelines
-  labels:
-    app.kubernetes.io/instance: default
-    app.kubernetes.io/part-of: tekton-pipelines
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-  - 'emptyDir'
-  - 'configMap'
-  - 'secret'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  runAsGroup:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-    - min: 1
-      max: 65535
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index 22f6784c01e..f623485758c 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -117,10 +117,6 @@ rules:
     # When there are changes to the configs or secrets, knative updates the validatingwebhook config
     # with the updated certificates or the refreshed set of rules.
     verbs: ["get", "update", "delete"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get"]
diff --git a/config/200-role.yaml b/config/200-role.yaml
index d52f7149c99..3f4e584fa4f 100644
--- a/config/200-role.yaml
+++ b/config/200-role.yaml
@@ -30,10 +30,6 @@ rules:
     resources: ["configmaps"]
     verbs: ["get"]
     resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -63,10 +59,6 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "update"]
     resourceNames: ["webhook-certs"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/config/controller.yaml b/config/controller.yaml
index ea2a093470e..bfbc7553d0c 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -122,10 +122,13 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - "ALL"
           # User 65532 is the nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - name: metrics
           containerPort: 9090
diff --git a/config/resolvers/resolvers-deployment.yaml b/config/resolvers/resolvers-deployment.yaml
index b9b0c541ccf..1a9cb28ac8a 100644
--- a/config/resolvers/resolvers-deployment.yaml
+++ b/config/resolvers/resolvers-deployment.yaml
@@ -101,4 +101,6 @@ spec:
           runAsNonRoot: true
           capabilities:
             drop:
-            - all
+            - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/config/webhook.yaml b/config/webhook.yaml
index 6c399e0fcf7..672fdc3156a 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -111,10 +111,13 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - "ALL"
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
           runAsGroup: 65532
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - name: metrics
           containerPort: 9090
diff --git a/kind1.23.yaml b/kind1.23.yaml
new file mode 100644
index 00000000000..ff9b2c33a38
--- /dev/null
+++ b/kind1.23.yaml
@@ -0,0 +1,8 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: kind1.23.12
+nodes:
+- role: control-plane
+  image: kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a
+- role: worker
+  image: kindest/node:v1.23.12@sha256:9402cf1330bbd3a0d097d2033fa489b2abe40d479cc5ef47d0b6a6960613148a
\ No newline at end of file