Fix: Add securityContext to Trigger dispatcher. (#970)

🐛 I was puzzled when picking up 1.8 that the ingress warnings went away, but the "dispatcher" warnings stuck around in GKE security posture.

Turns out there are two places calling things "dispatcher" 🤦 so this fixes the other, which was also missed in the later source cleanup.

/kind bug

Co-authored-by: Matt Moore <[email protected]>

Author: knative-prow-robot

pkg/reconciler/trigger/resources/dispatcher.go

@@ -32,6 +32,7 @@ import (
 
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/kmeta"
+	"knative.dev/pkg/ptr"
 	"knative.dev/pkg/system"
 )
 
@@ -118,6 +119,14 @@ func MakeDispatcherDeployment(args *DispatcherArgs) *appsv1.Deployment {
 			Name:          "http-metrics",
 			ContainerPort: 9090,
 		}},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.Bool(false),
+			ReadOnlyRootFilesystem:   ptr.Bool(true),
+			RunAsNonRoot:             ptr.Bool(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		},
 	}
 	if args.Configs != nil {
 		dispatcher.Env = append(dispatcher.Env, args.Configs.ToEnvVars()...)

pkg/reconciler/trigger/resources/dispatcher_test.go

@@ -215,6 +215,14 @@ func deployment(opts ...func(*appsv1.Deployment)) *appsv1.Deployment {
 							Name:          "http-metrics",
 							ContainerPort: 9090,
 						}},
+						SecurityContext: &corev1.SecurityContext{
+							AllowPrivilegeEscalation: ptr.Bool(false),
+							ReadOnlyRootFilesystem:   ptr.Bool(true),
+							RunAsNonRoot:             ptr.Bool(true),
+							Capabilities: &corev1.Capabilities{
+								Drop: []corev1.Capability{"ALL"},
+							},
+						},
 					}},
 				},
 			},