From bff0ba00ed0c1d3461947cdd02d5fb7e63c04df7 Mon Sep 17 00:00:00 2001
From: Ben Hu <bensea@google.com>
Date: Tue, 8 Dec 2020 19:41:29 +0000
Subject: [PATCH] Run controller/webhook as GID 65532, drop caps

Containers running as root group or with excessive capabilities
have larger security impact if compromised. It is recommended
to run containers as non-root and drop unneeded capabilities.
Controller and Webhook are regular servers and don't need special
capabilities. This change is tested with master version on a GKE cluster.
---
 config/controller.yaml | 4 ++++
 config/webhook.yaml    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/config/controller.yaml b/config/controller.yaml
index d7e207af3f9..55408bd158f 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -111,8 +111,12 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
         ports:
         - name: probes
           containerPort: 8080
diff --git a/config/webhook.yaml b/config/webhook.yaml
index aa6b253e540..df33a7d56a1 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -102,8 +102,12 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
           # User 65532 is the distroless nonroot user ID
           runAsUser: 65532
+          runAsGroup: 65532
         ports:
         - name: metrics
           containerPort: 9090