Add more secure SecurityContext to injected pod containers

[lbernick]

This commit adds a SecurityContext to containers injected into TaskRun pods to allow them to run in namespaces with "restricted" pod security admission policies. This includes both init containers and the sidecar container which extracts results. See https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted.

It assumes that a TaskRun is meant to run on Windows if and only if it has a podTemplate with a nodeSelector containing "kubernetes.io/os: windows". (See https://kubernetes.io/docs/concepts/windows/user-guide/.)

This functionality is guarded behind a feature flag that defaults to false, as it may not work on all Kubernetes implementations.

/kind bug
Closes #5896

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• n/a Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Set new feature flag "set-security-context" to "true" to allow TaskRuns and PipelineRuns to be run in namespaces with restricted pod security admission

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/pod.go	91.8%	92.2%	0.4
pkg/pod/workingdir_init.go	92.9%	94.1%	1.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/pod.go	91.8%	92.2%	0.4
pkg/pod/workingdir_init.go	92.9%	94.1%	1.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/pod.go	91.8%	91.8%	-0.1
pkg/pod/workingdir_init.go	92.9%	94.1%	1.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/pod.go	91.8%	91.8%	-0.1
pkg/pod/workingdir_init.go	92.9%	94.1%	1.3

[dibyom]

Are we sure we want to add this by default? Triggers tried doing this but we had to make it optional due to it not working on some environments: tektoncd/triggers#1563

For #5896, it seems like we could document not creating taskruns/pipelineruns in the tekton-pipelines namespace?

[lbernick]

Are we sure we want to add this by default? Triggers tried doing this but we had to make it optional due to it not working on some environments: tektoncd/triggers#1563

This is good to know! WDYT about introducing a new feature flag?

For #5896, it seems like we could document not creating taskruns/pipelineruns in the tekton-pipelines namespace?

It seems pretty reasonable to not support creating taskruns in tekton-pipelines, but I think we should probably support creating taskruns in other namespaces that might have restricted pod security admission, especially since none of our injected containers need elevated privileges

[dibyom]

This is good to know! WDYT about introducing a new feature flag?

Opt-in sounds good to me.

[lbernick]

/hold
while I incorporate dibyo's suggestions

[vdemeester]

I like the idea of opt-in with possible going "opt-out" in the future (given a timeframe). As long as it is configurable, we can work around it.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[lbernick]

/hold cancel
/remove-kind bug
/kind feature

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[lbernick]

Created #6633 to track this flake.
/retest

[JeromeJu]

/assign

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/apis/config/feature_flags.go	92.6%	91.8%	-0.9
pkg/pod/pod.go	92.4%	92.5%	0.2
pkg/pod/script.go	99.0%	99.0%	0.0
pkg/pod/workingdir_init.go	92.9%	95.0%	2.1

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dibyom,vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Yongxuanzhang]

/lgtm