0

Is there a way to create a Tekton EventListener with a securityContext? I can't seem to find anything in the documentation for this and I'm unable to get one running in my environment because of the following error that shows up in the EventListener status:

Message:               pods "el-github-listener-interceptor-7b89d546dd-m6rdz" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "event-listener" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "event-listener" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

My EventListener is defined as follows:

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: github-listener-interceptor
  namespace: tekton-pipelines
spec:
  serviceAccountName: sa-tekton-triggers
  triggers:
    - name: github-listener
      interceptors:
        - ref:
            name: "github"
          params:
            - name: "eventTypes"
              value: ["push"]
        - ref:
            name: cel
          params:
          - name: filter
            # execute only when ....
            value: extensions.changed_files.matches('src/')
      bindings:
        - ref: pipeline-reach-dashboard-binding
      template:
        ref: pipeline-reach-dashboard-template

I've tried adding in the securityContext block every spot imaginable, but no luck.

Thanks!

Update. Looks like this is possibly a bug:

https://github.com/tektoncd/pipeline/issues/5896

Moving the EventListener and trigger items to a different namespace other than tekton-pipelines allow me to work around this

Gary Turner
  • 189
  • 9
  • 1
    Which version of tekton are you running? FYI, their controller will setup some securityContext (including allowPrivilegesEscalation=false), merged last month, see: https://github.com/tektoncd/triggers/pull/1494 . And no: to my konwledge, they don't yet plan on allowing customizations through EventListener. – SYN Mar 16 '23 at 18:04
  • Thanks for the response! I'm using pipelines version v0.45.0, dashboard version v0.33.0, triggers and interceptors version v0.22.0 I actually already stumbled across that link you sent, but I'm not clear if there's anything I can do in this case to leverage that and fix my error? – Gary Turner Mar 16 '23 at 18:17
  • 1
    tekton triggers v0.23.0 should ship with at least a partial fix. Given your error message says `violates PodSecurity restricted:latest: allowPrivilegeEscalation != false`, and that v0.23.0 hardcodes that allowPrivilegesEscalation=false, odds are you're running a previous version. Upgrading may not fix it all, still that first part of your error should go away – SYN Mar 17 '23 at 20:23

0 Answers0