Add securityContext to Knative Eventing core objects

[evankanderson]

Proposed Changes

• 🧹 Set SecurityContext on all resources installed by core or in-memory controllers.
  • This should allow running pods under the restricted Pod Security Standard

Pre-review Checklist

• [na] At least 80% unit test coverage
• [na] E2E tests for any new behavior
• [na] Docs PR for any user-facing impact
• [na] Spec PR for any new API feature
• [na] Conformance test for any change to the spec

Release Note

All core Knative Eventing Pods should now be able to run in the restricted pod security standard profile.

Docs

No docs impact

[codecov]

Codecov Report

Merging #5863 (b0ba615) into main (4de0da0) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #5863   +/-   ##
=======================================
  Coverage   81.96%   81.96%           
=======================================
  Files         220      220           
  Lines        7458     7458           
=======================================
  Hits         6113     6113           
  Misses        918      918           
  Partials      427      427           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4de0da0...b0ba615. Read the comment docs.

[evankanderson]

Apparently I can cut and paste runasNonRoot very effectively. Corrected!

[evankanderson]

/assign @lionelvillard

[odacremolbap]

Not sure if intended, but while heartbeats manifest has been updated with resources/security, appender and event_display has not. recordevents (not sure if that's generally considered a tool people could use or an internal testing tool only) also lacks them.

• https://github.com/knative/eventing/blob/main/config/tools/appender/appender.yaml
• https://github.com/knative/eventing/blob/main/config/tools/event-display/event-display.yaml
• https://github.com/knative/eventing/blob/main/config/tools/recordevents/recordevents.yaml

[evankanderson]

I thought that heartbeats was related to one of the GA components, while recordeevents and appender did not seem to be documented on knative.dev.

[evankanderson]

/assign @julz @devguyio

[matzew]

/assign

I will take a look at this

[matzew]

/hold

[matzew]

some of this was already done before and got reverted - see: https://github.com/knative/eventing/pull/5629/files

[julz]

FWIW we reverted because we didn't have time - at the time - to figure out mem/cpu requests that were low enough to work reliably in GitHub actions, the securityContext stuff should IMO be good either way, and I think having resources present - even if low - is better than not having them at all (so being entirely at the mercy of the scheduler happening not to collocate too many jobs on a node).

tl;dr imo we should just make sure this reliably works in GitHub actions, and lower mem/cpu until it does :)

[matzew]

2021/11/02 09:08:48 error processing import paths in "config/500-controller.yaml": error resolving image references: Put https://index.docker.io/v2/matzew/apiserver_receive_adapter-53e790fb0f6460420543f068b229321d/blobs/uploads/03d941d0-a316-469c-8740-a659a9f27e49?_state=0lAdx7jka1qpJmLkNLSzDpjLciu6ww-yU6JXcCYOVdt7Ik5hbWUiOiJtYXR6ZXcvYXBpc2VydmVyX3JlY2VpdmVfYWRhcHRlci01M2U3OTBmYjBmNjQ2MDQyMDU0M2YwNjhiMjI5MzIxZCIsIlVVSUQiOiIwM2Q5NDFkMC1hMzE2LTQ2OWMtODc0MC1hNjU5YTlmMjdlNDkiLCJPZmZzZXQiOjIzNTA3NTY2LCJTdGFydGVkQXQiOiIyMDIxLTExLTAyVDA4OjA3OjU5WiJ9&digest=sha256%3A8f43c9c4ec1e0540726c3a0ba0c218f38189d29581240ab48168bcce899c815d: EOF

hrm - getting that from ko apply ... I guess unrelated... but...

[matzew]

as said before, not sure we really have facts for bumping the numbers to this

[julz]

fwiw I think any request is better than no request at all here, otherwise it really is just luck causing the controller to be on a node with any mem/cpu left at all iyswim

[evankanderson]

These requests were copied from serving; I agree that they could probably be tuned (lower, I'm hoping), but leaving them out entirely doesn't do the scheduler any favors (and just pushes the issue to any responsible downstream distributors).

I agree that it would have been good if this had been in earlier in the release cycle; I forgot about it until 2 days ago.

[evankanderson]

Do you want me to split this into two (securityContext and resources) if you want, though it seems unlikely that either will be part of the release.

[evankanderson]

I'm going to make this one be just securityContext and open a new one for resources.

Checking in now will give max time to bake for 1.1

[evankanderson]

Nov  2 16:41:17.698 install_latest_release [OUT] Installing Knative Eventing from: latest-release
Nov  2 16:41:17.702 install_latest_release [OUT] --2021-11-02 16:41:17--  https://github.com/knative/eventing/releases/download/v0.27.0/eventing.yaml
Nov  2 16:41:17.710 install_latest_release [OUT] Resolving github.com (github.com)... 140.82.112.4
Nov  2 16:41:17.737 install_latest_release [OUT] Connecting to github.com (github.com)|140.82.112.4|:443... connected.
Nov  2 16:41:17.867 install_latest_release [OUT] HTTP request sent, awaiting response... 404 Not Found
Nov  2 16:41:17.986 install_latest_release [OUT] 2021-11-02 16:41:17 ERROR 404: Not Found.

I don't think that's this PR.

/retest pull-knative-eventing-upgrade-tests

[knative-prow-robot]

@evankanderson: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test pull-knative-eventing-build-tests
• /test pull-knative-eventing-conformance-tests
• /test pull-knative-eventing-integration-tests
• /test pull-knative-eventing-reconciler-tests
• /test pull-knative-eventing-unit-tests
• /test pull-knative-eventing-upgrade-tests

The following commands are available to trigger optional jobs:

• /test pull-knative-eventing-go-coverage

Use /test all to run all jobs.

In response to this:

Nov  2 16:41:17.698 install_latest_release [OUT] Installing Knative Eventing from: latest-release
Nov  2 16:41:17.702 install_latest_release [OUT] --2021-11-02 16:41:17--  https://github.com/knative/eventing/releases/download/v0.27.0/eventing.yaml
Nov  2 16:41:17.710 install_latest_release [OUT] Resolving github.com (github.com)... 140.82.112.4
Nov  2 16:41:17.737 install_latest_release [OUT] Connecting to github.com (github.com)|140.82.112.4|:443... connected.
Nov  2 16:41:17.867 install_latest_release [OUT] HTTP request sent, awaiting response... 404 Not Found
Nov  2 16:41:17.986 install_latest_release [OUT] 2021-11-02 16:41:17 ERROR 404: Not Found.

I don't think that's this PR.

/retest pull-knative-eventing-upgrade-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[evankanderson]

/test pull-knative-eventing-upgrade-tests

[evankanderson]

(This needs knative/hack#101 to pass)

[evankanderson]

/test pull-knative-eventing-upgrade-tests

[evankanderson]

(Tests now pass)

[evankanderson]

@matzew

Does making this just contain securityContext changes and having it early in the cycle reduce your concerns enough to remove the hold (and maybe approve it)?

[matzew]

/unhold

[odacremolbap]

+1

(although I liked the resources version best, even if they were only a starting point to to get tuned later)

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, odacremolbap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment