Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SecurityContext to Eventlistener containers under el-security-context flag #1563

Merged

Conversation

savitaashture
Copy link
Contributor

@savitaashture savitaashture commented Mar 21, 2023

Changes

As part of this PR #1494 we introduced SecurityContext for Eventlistener containers
But for Openshift its not working so adding condition check to set SecurityContext for Eventlistener containers
Reason:
On Openshift cluster when we install Triggers EL container failed to start with below error

message: >-
        pods "el-listener-embed-binding-7b6bc5d595-" is forbidden: unable to
        validate against any security context constraint: [provider "anyuid":
        Forbidden: not usable by user or serviceaccount,
        pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/event-listener]:
        Forbidden: seccomp may not be set,
        spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must
        be in the ranges: [1001190000, 1001199999], provider "restricted":
        Forbidden: not usable by user or serviceaccount, provider "nonroot-v2":
        Forbidden: not usable by user or serviceaccount, provider "nonroot":
        Forbidden: not usable by user or serviceaccount, provider
        "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
        provider "machine-api-termination-handler": Forbidden: not usable by
        user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable
        by user or serviceaccount, provider "hostnetwork": Forbidden: not usable
        by user or serviceaccount, provider "hostaccess": Forbidden: not usable
        by user or serviceaccount, provider "node-exporter": Forbidden: not
        usable by user or serviceaccount, provider "privileged": Forbidden: not
        usable by user or serviceaccount] 

It doesn't allow to set that's why added SecurityContext to Eventlistener containers under el-security-context flag which is True by default so it won't create any issue for K8S

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

@savitaashture savitaashture requested a review from dibyom March 21, 2023 14:51
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Mar 21, 2023
@tekton-robot tekton-robot requested review from dlorenc and wlynch March 21, 2023 14:51
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 21, 2023
@savitaashture savitaashture requested a review from khrm March 21, 2023 14:51
@savitaashture
Copy link
Contributor Author

We also need this for 0.23.x

@savitaashture
Copy link
Contributor Author

/retest

Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add any tests? Otherwise, it looks fine.

/approve

@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 22, 2023
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/kind bug

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 22, 2023
@khrm khrm removed the kind/bug Categorizes issue or PR as related to a bug. label Mar 22, 2023
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/kind cleanup

@tekton-robot tekton-robot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Mar 22, 2023
@savitaashture
Copy link
Contributor Author

/test pull-tekton-triggers-integration-tests

@dibyom
Copy link
Member

dibyom commented Mar 24, 2023

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2023
@tekton-robot tekton-robot merged commit 625252b into tektoncd:main Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants