Exercise our PodSecurityPolicy on CI

[vdemeester]

We define a PodSecurityPolicy in our config/. But this PodSecurityPolicy is never exercised on the CI as it is not enabled by default, for the following reason:

Warning: If you enable the PodSecurityPolicy controller without first defining and authorizing any actual policies, no users, controllers, or service accounts can create or update Pods. If you are working with an existing cluster, you should define and authorize policies before enabling the controller.

This means we do not know if the PodSecurityPolicy is correctly setup and works as we expect (and/or as our user expects if they enable it on their cluster).

We can do the following:

1. Keep the PodSecurityPolicy in config/ but then, we need to exercise it on our test infrastructure (at least for some tests).
   See Using PodSecurityPolicies on google cloud to see more in details on how to enable those. As of today, if we enable it, our tests suites should fail as the PodSecurityPolicy we define disallow running privileged containers/pods, and, well, we do use some during our test suites 🙃.

2. Move the PodSecurityPolicy in a contrib/ folder, discussing what it is, what it does, how to use it. (here is why I say a contrib/ folder btw 😉)

/area testing
/area test-infra
/kind feature

/cc @bobcatfish @afrittoli @gabemontero

[gabemontero]

For reference, how you turn on an admission controller is here

PodSecurityPolicy in k8s docs: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vdemeester]

/remove-lifecycle rotten
/remove-lifecycle stale
/reopen

[tekton-robot]

@vdemeester: Reopened this issue.

In response to this:

/remove-lifecycle rotten
/remove-lifecycle stale
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[vdemeester]

Putting this in the "frozen" box as I really think we should exercise it, at least on a nightly.

/remove-lifecycle stale
/lifecycle frozem

[vdemeester]

/lifecycle frozen

[ghost]

Given #4112 should we close this one?

[vdemeester]

@sbwsg yes I would think so 👍🏼

[ghost]

/close

[tekton-robot]

@sbwsg: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.