fix(backend): Add securitycontext for k8s 1.25 (kubeflow#1132)

yhwang · Tomcli · commit 3ce7c8882d50 · 2023-01-26T10:54:22.000-08:00
For k8s 1.25, a securityContext definition is needed for a pod.
Add proper security context to pipelineloop controler and webhook

Signed-off-by: Yihong Wang &lt;yh.wang@ibm.com&gt;

Signed-off-by: Yihong Wang &lt;yh.wang@ibm.com&gt;
diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml
@@ -54,3 +54,13 @@ spec:
           value: config-observability
         - name: METRICS_DOMAIN
           value: tekton.dev/pipeline
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml
@@ -64,6 +64,16 @@ spec:
           containerPort: 8008
         - name: https-webhook
           containerPort: 8443
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
 ---
 apiVersion: v1
 kind: Service
