From 930ff2db04e6456f07a97535ddb616b79f785a26 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Tue, 9 Mar 2021 10:09:54 -0600
Subject: [PATCH] fix(gate): fixes securityContext

This patch fixes the securityContext for the tekton-pipeline charts to
unclog a gate failure.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I5a44f6ecd92c0800aa9f43206fd2c7621d7ac260
---
 .../templates/deployment-controller.yaml               |  8 ++++++--
 .../tekton-pipelines/templates/deployment-webhook.yaml |  8 ++++++--
 charts/tekton-pipelines/values.yaml                    | 10 ----------
 3 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/charts/tekton-pipelines/templates/deployment-controller.yaml b/charts/tekton-pipelines/templates/deployment-controller.yaml
index aef69f48..80b2c8f2 100644
--- a/charts/tekton-pipelines/templates/deployment-controller.yaml
+++ b/charts/tekton-pipelines/templates/deployment-controller.yaml
@@ -73,8 +73,12 @@ spec:
         - name: METRICS_DOMAIN
           value: {{ $.Values.controller.conf.metrics_domain }}
         securityContext:
-          allowPrivilegeEscalation: {{ $.Values.controller.pod.security_context.container.tekton_pipelines_controller.allowPrivilegeEscalation }}
-          runAsUser: {{ $.Values.controller.pod.security_context.container.tekton_pipelines_controller.runAsUser }}
+          allowPrivilegeEscalation: false
+          runAsUser: 65532
+          runAsGroup: 65532
+          capabilities:
+            drop:
+              - all
       volumes:
       - name: config-logging
         configMap:
diff --git a/charts/tekton-pipelines/templates/deployment-webhook.yaml b/charts/tekton-pipelines/templates/deployment-webhook.yaml
index 8c44bf27..37eac049 100644
--- a/charts/tekton-pipelines/templates/deployment-webhook.yaml
+++ b/charts/tekton-pipelines/templates/deployment-webhook.yaml
@@ -48,8 +48,12 @@ spec:
         - name: METRICS_DOMAIN
           value: {{ $.Values.webhook.conf.metrics_domain }}
         securityContext:
-          allowPrivilegeEscalation: {{ $.Values.webhook.pod.security_context.container.webhook.allowPrivilegeEscalation }}
-          runAsUser: {{ $.Values.webhook.pod.security_context.container.webhook.runAsUser }}
+          allowPrivilegeEscalation: false
+          runAsUser: 65532
+          runAsGroup: 65532
+          capabilities:
+            drop:
+              - all
         ports:
         - name: metrics
           containerPort: {{ $.Values.webhook.endpoints.ports.metrics.targetPort }}
diff --git a/charts/tekton-pipelines/values.yaml b/charts/tekton-pipelines/values.yaml
index cb215377..8ce26a70 100644
--- a/charts/tekton-pipelines/values.yaml
+++ b/charts/tekton-pipelines/values.yaml
@@ -74,11 +74,6 @@ controller:
 
   pod:
     replicas: 1
-    security_context:
-      container:
-        tekton_pipelines_controller:
-          runAsUser: 1001
-          allowPrivilegeEscalation: false
 
   conf:
     metrics_domain: tekton.dev/pipeline
@@ -134,11 +129,6 @@ webhook:
         periodSeconds: 10
         timeoutSeconds: 1
     replicas: 1
-    security_context:
-      container:
-        webhook:
-          runAsUser: 1001
-          allowPrivilegeEscalation: false
 
   conf:
     metrics_domain: tekton.dev/pipeline