Run controller/webhook as GID 65532, drop caps

Containers running as root group or with excessive capabilities have larger security impact if compromised. It is recommended to run containers as non-root and drop unneeded capabilities. Controller and Webhook are regular servers and don't need special capabilities. This change is tested with master version on a GKE cluster.
tektoncd · Dec 10, 2020 · bff0ba0 · bff0ba0
1 parent d58a1ae
commit bff0ba0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -111,8 +111,12 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
         ports:
         - name: probes
           containerPort: 8080

diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -102,8 +102,12 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
         ports:
         - name: metrics
           containerPort: 9090