port https://github.com/tektoncd/pipeline/pull/2967 to triggers

[gabemontero]

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

    The PodSecurityPolicy configuration was updated so that container must run as non-root, and the RBAC for utilizing the PSP was moved from cluster scoped to namespace scoped to better ensure triggers can not utilize other PSPs unrelated to this project

[gabemontero]

@vdemeester @nikhil-thomas @sthaha FYI

IIRC the analogous upstream pipeline PR that modified PSP/roles had implications for us downstream ?

[gabemontero]

@dibyom @savitaashture I finally pushed updates based on your comments last month

I've also reached out to @skaegi about verifications in his env's vs. the verifications I'll be doing.

[gabemontero]

I'm going to remove the WIP label ... I've completed the testing in the secured environments I have access to

[dibyom]

Could we drop the WIP from the commit message and make it a bit more descriptive? (also, add to the release notes?)

[savitaashture]

Hi @gabemontero

I tried to install trigger using this PR on minikube and i see pods's are not coming up

kubectl get pods -n tekton-pipelines  -w
NAME                                           READY   STATUS             RESTARTS   AGE
tekton-triggers-controller-5995c76b5b-bgkfb    0/1     CrashLoopBackOff   5          10m
tekton-triggers-webhook-5c94c6cdc-cwmpx        0/1     CrashLoopBackOff   6          10m

with below error

ae8bdf6a3207335c"
  Warning  BackOff    100s (x5 over 2m26s)   kubelet, minikube  Back-off restarting failed container
  Normal   Created    87s (x5 over 3m6s)     kubelet, minikube  Created container tekton-triggers-controller
  Normal   Pulled     87s (x4 over 2m54s)    kubelet, minikube  Container image "docker.io/savita3020/controller-f656ca31de179ab913fa76abc255c315@sha256:0d2d80595fdfa8ee8462532fe03d04447dc6d35fc35c2e93ae8bdf6a3207335c" already present on machine
  Warning  Failed     86s (x5 over 3m6s)     kubelet, minikube  Error: failed to start container "tekton-triggers-controller": Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "chdir to cwd (\"/home/nonroot\") set in config.json failed: permission denied": unknown

same issue occurring for pipeline tektoncd/pipeline#3273

[gabemontero]

Ah ha ... thanks for trying that out @savitaashture

Am I correct that you had to explicitly turn on pod security policy controller with your minikube installation (as I recall PSP controller is off by default with k8s ... or does minikube turn in on automatically under the covers) ?

I agree that it looks like the same situation in pipelines.

/hold

let's see how tektoncd/pipeline#3273 sorts out

[gabemontero]

/hold cancel

I've pulled in tektoncd/pipeline#3342 which addressed @savitaashture 's issue

/assign @dibyom
/assign @savitaashture

PTAL ... thanks

[gabemontero]

check that ... @dibyom pulled in that latest fix with 09539a8

[dibyom]

This LGTM. One minor nit - can we make the commit message more descriptive? maybe, it could be the same as the message from the pipelines PR. Also, let's add to the release notes?

[gabemontero]

OK cleaned up commit message and got the rebase sorted out

PTAL @dibyom and @savitaashture

[gabemontero]

release note updated as well @dibyom

[dibyom]

/approve
/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dibyom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment