[Deprecated] PodSecurityPolicy

This commit removes the deprecated PodSeucrityPolicy and add PodSecurityAdmission(PSA) restricted label with respective policies enforced by PSP but not covered by the restricted standard of PSA.
tektoncd · Sep 23, 2022 · 6a4c46c · 6a4c46c
1 parent 826d8a0
commit 6a4c46c
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 69 deletions.
diff --git a/config/100-namespace/100-namespace.yaml b/config/100-namespace/100-namespace.yaml
@@ -19,3 +19,4 @@ metadata:
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/config/101-podsecuritypolicy.yaml b/config/101-podsecuritypolicy.yaml
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -118,10 +118,6 @@ rules:
     # When there are changes to the configs or secrets, knative updates the validatingwebhook config
     # with the updated certificates or the refreshed set of rules.
     verbs: ["get", "update", "delete"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get"]

diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -30,10 +30,6 @@ rules:
     resources: ["configmaps"]
     verbs: ["get"]
     resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -63,10 +59,6 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "update"]
     resourceNames: ["webhook-certs"]
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    resourceNames: ["tekton-pipelines"]
-    verbs: ["use"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/config/controller.yaml b/config/controller.yaml
@@ -156,6 +156,10 @@ spec:
         - name: config-registry-cert
           configMap:
             name: config-registry-cert
+      securityContext:
+        seLinuxOptions:
+          role: "RunAsUser"
+        runAsNonRoot: true
 ---
 apiVersion: v1
 kind: Service

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -140,6 +140,10 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
           timeoutSeconds: 5
+      securityContext:
+        seLinuxOptions:
+          role: "RunAsUser"
+        runAsNonRoot: true
 ---
 apiVersion: v1
 kind: Service