Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EventListeners do not have correct SecurityContext to run in tekton-pipelines namespace #1490

Closed
dibyom opened this issue Dec 5, 2022 · 1 comment · Fixed by #1494
Closed

EventListeners do not have correct SecurityContext to run in tekton-pipelines namespace #1490

dibyom opened this issue Dec 5, 2022 · 1 comment · Fixed by #1494
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
Triggers v0.23

Comments

@dibyom
Copy link
Member

dibyom commented Dec 5, 2022 

    @dibyom I apologize if this is the wrong place to provide feedback on this ticket, but I'm still getting this error on k8s v1.24, pipelines v0.42 and triggers v0.22 (I can confirm that `securityContext` fix is present in `tekton-triggers-controller` and `-webhook`):

Warning  FailedCreate  47s (x7 over 3m29s)  replicaset-controller  (combined from similar events): Error creating: pods "el-pulumi-el-8bc4bf7-nxznb" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "event-listener" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Originally posted by @seunggs in #1477 (comment)
@dibyom dibyom added the kind/bug Categorizes issue or PR as related to a bug. label Dec 5, 2022
@dibyom
Copy link
Member Author

dibyom commented Dec 9, 2022

From Slack thread:
We run in GKE and use google's security posture for scanning our clusters. Tekton Trigger EventListeners are causing a medium vulnerability to be thrown. The eventlisteners are running as non-root non-privileged containers but they don't have the security spec for spec.containers[*].securityContext.allowPrivilegeEscalation being set to false. Therefore, the vulnerability is throw for Pod container allows privilege escalation on exec. Is there anyway to add the allowPriviledgeEscalation being set to false so the event listeners don't throw this?

@dibyom dibyom added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Dec 9, 2022
dibyom added a commit to dibyom/triggers that referenced this issue Dec 14, 2022
@dibyom
Add SecurityContext to Eventlistener containers
dc0d56b 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes tektoncd#1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
@dibyom dibyom mentioned this issue Dec 14, 2022
Merged
4 tasks
@dibyom dibyom added this to the Triggers v0.23 milestone Dec 14, 2022
dibyom added a commit to dibyom/triggers that referenced this issue Jan 9, 2023
@dibyom
Add SecurityContext to Eventlistener containers
c8cd8b3 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes tektoncd#1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Jan 13, 2023
@dibyom
Add SecurityContext to Eventlistener containers
5b66038 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes tektoncd#1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
dibyom added a commit to dibyom/triggers that referenced this issue Feb 9, 2023
@dibyom
Add SecurityContext to Eventlistener containers
c563752 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes tektoncd#1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
tekton-robot pushed a commit that referenced this issue Feb 14, 2023
@dibyom @tekton-robot
Add SecurityContext to Eventlistener containers
8a1267a 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes #1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
khrm pushed a commit to khrm/triggers that referenced this issue Feb 23, 2023
@dibyom @khrm
Add SecurityContext to Eventlistener containers
287abbb 
The security context is the same one that is applied to other Tekton workloads
such as the Triggers and Pipeline controller pods. Eventlisteners already run
as non-root, non-privileged containers. Adding this setting allows them to run
in environments with pod security admission set to "restricted" (such as the
tekton-pipelines namespace)

Fixes tektoncd#1490

Signed-off-by: Dibyo Mukherjee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
Tekton Community Roadmap
Status: Done
Milestone
Triggers v0.23
Development

Successfully merging a pull request may close this issue.

Add SecurityContext to Eventlistener containers dibyom/triggers
1 participant
@dibyom