Allow users to set custom securityContext in EventListener spec

1. Users can now define their own securityContext under the EventListener YAML.
2. When  is true
   - If the user sets a custom securityContext, it is give priority and used same.
   - If not, a default securityContext is applied.

Signed-off-by: savitaashture <sashture@redhat.com>

Author: savitaashture

docs/eventlisteners.md

@@ -272,6 +272,7 @@ Tolerations
 Containers
 Affinity
 TopologySpreadConstraints
+SecurityContext
 ```
 
 Legal values for the `Containers` sub-field for `kubernetesResource` and `CustomResource` are:
@@ -283,12 +284,14 @@ Env
 LivenessProbe
 ReadinessProbe
 StartupProbe
+SecurityContext
 ```
 
 **CustomResource:**
 ```
 Resources
 Env
+SecurityContext
 ```
 
 ### Specifying a `kubernetesResource` object
@@ -310,13 +313,18 @@ spec:
               key: "value"
           spec:
             serviceAccountName: tekton-triggers-github-sa
+            securityContext:
+              runAsNonRoot: true
             nodeSelector:
               app: test
             tolerations:
             - key: key
               value: value
               operator: Equal
               effect: NoSchedule
+            containers:
+            - securityContext:
+                readOnlyRootFilesystem: true
 ```
 
 #### Specifying `Service` configuration

examples/v1beta1/eventlisteners/eventlistener-securitycontext.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: listener-tolerations
+spec:
+  serviceAccountName: tekton-triggers-example-sa
+  resources:
+    kubernetesResource:
+      spec:
+        template:
+          spec:
+            securityContext:
+              runAsNonRoot: true
+            containers:
+              - resources:
+                  requests:
+                    memory: "64Mi"
+                    cpu: "250m"
+                  limits:
+                    memory: "128Mi"
+                    cpu: "500m"
+                securityContext:
+                  readOnlyRootFilesystem: true
+  triggers:
+    - name: foo-trig
+      bindings:
+        - ref: pipeline-binding
+        - ref: message-binding
+      template:
+        ref: pipeline-template

pkg/apis/triggers/v1beta1/event_listener_validation.go

@@ -232,13 +232,15 @@ func containerFieldMaskForKubernetes(in *corev1.Container) *corev1.Container {
 	out.LivenessProbe = in.LivenessProbe
 	out.ReadinessProbe = in.ReadinessProbe
 	out.StartupProbe = in.StartupProbe
+	out.SecurityContext = in.SecurityContext
 	return containerFieldMask(out)
 }
 
 func containerFieldMaskForCustomResource(in *corev1.Container) *corev1.Container {
 	out := new(corev1.Container)
 	out.Resources = in.Resources
 	out.Env = in.Env
+	out.SecurityContext = in.SecurityContext
 	return containerFieldMask(out)
 }
 
@@ -278,6 +280,7 @@ func podSpecMask(in *corev1.PodSpec) *corev1.PodSpec {
 	out.Affinity = in.Affinity
 	out.TopologySpreadConstraints = in.TopologySpreadConstraints
 	out.ImagePullSecrets = in.ImagePullSecrets
+	out.SecurityContext = in.SecurityContext
 
 	// Disallowed fields
 	// This list clarifies which all podspec fields are not allowed.
@@ -294,7 +297,6 @@ func podSpecMask(in *corev1.PodSpec) *corev1.PodSpec {
 	out.HostPID = false
 	out.HostIPC = false
 	out.ShareProcessNamespace = nil
-	out.SecurityContext = nil
 	out.Hostname = ""
 	out.Subdomain = ""
 	out.SchedulerName = ""

pkg/apis/triggers/v1beta1/event_listener_validation_test.go

@@ -587,6 +587,48 @@ func Test_EventListenerValidate(t *testing.T) {
 					},
 				},
 			},
+		}, {
+			name: "Valid EventListener with kubernetes resources for securityContext",
+			el: &triggersv1beta1.EventListener{
+				ObjectMeta: myObjectMeta,
+				Spec: triggersv1beta1.EventListenerSpec{
+					Triggers: []triggersv1beta1.EventListenerTrigger{{
+						Template: &triggersv1beta1.EventListenerTemplate{
+							Ref: ptr.String("tt"),
+						},
+					}},
+					Resources: triggersv1beta1.Resources{
+						KubernetesResource: &triggersv1beta1.KubernetesResource{
+							WithPodSpec: duckv1.WithPodSpec{
+								Template: duckv1.PodSpecable{
+									Spec: corev1.PodSpec{
+										ServiceAccountName: "k8sresource",
+										SecurityContext: &corev1.PodSecurityContext{
+											RunAsNonRoot: ptr.Bool(true),
+										},
+										Containers: []corev1.Container{{
+											Resources: corev1.ResourceRequirements{
+												Limits: corev1.ResourceList{
+													corev1.ResourceCPU:    resource.Quantity{Format: resource.DecimalSI},
+													corev1.ResourceMemory: resource.Quantity{Format: resource.BinarySI},
+												},
+												Requests: corev1.ResourceList{
+													corev1.ResourceCPU:    resource.Quantity{Format: resource.DecimalSI},
+													corev1.ResourceMemory: resource.Quantity{Format: resource.BinarySI},
+												},
+											},
+											SecurityContext: &corev1.SecurityContext{
+												RunAsNonRoot: ptr.Bool(true),
+												RunAsUser:    ptr.Int64(65532),
+											},
+										}},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 		}}
 
 	for _, tc := range tests {

pkg/reconciler/eventlistener/eventlistener_test.go

@@ -928,8 +928,8 @@ func TestReconcile(t *testing.T) {
 	})
 
 	deploymentMissingSecurityContext := makeDeployment(func(d *appsv1.Deployment) {
-		d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{}
-		d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{}
+		d.Spec.Template.Spec.SecurityContext = nil
+		d.Spec.Template.Spec.Containers[0].SecurityContext = nil
 	})
 
 	deploymentWithSecurityContext := makeDeployment(func(d *appsv1.Deployment) {

pkg/reconciler/eventlistener/resources/container.go

@@ -50,9 +50,16 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA
 
 	ev := configAcc.ToEnvVars()
 
-	containerSecurityContext := corev1.SecurityContext{}
-	if *c.SetSecurityContext {
-		containerSecurityContext = corev1.SecurityContext{
+	var containerSecurityContext *corev1.SecurityContext
+	if el.Spec.Resources.KubernetesResource != nil {
+		if len(el.Spec.Resources.KubernetesResource.Template.Spec.Containers) != 0 {
+			if *c.SetSecurityContext {
+				containerSecurityContext = el.Spec.Resources.KubernetesResource.Template.Spec.Containers[0].SecurityContext
+			}
+		}
+	}
+	if *c.SetSecurityContext && containerSecurityContext == nil {
+		containerSecurityContext = &corev1.SecurityContext{
 			AllowPrivilegeEscalation: ptr.Bool(false),
 			Capabilities: &corev1.Capabilities{
 				Drop: []corev1.Capability{"ALL"},
@@ -111,7 +118,7 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA
 			Name:  "K_SINK_TIMEOUT",
 			Value: strconv.FormatInt(*c.TimeOutHandler, 10),
 		}}...),
-		SecurityContext: &containerSecurityContext,
+		SecurityContext: containerSecurityContext,
 	}
 
 	for _, opt := range opts {

pkg/reconciler/eventlistener/resources/container_test.go

@@ -28,6 +28,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	reconcilersource "knative.dev/eventing/pkg/reconciler/source"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/ptr"
 )
 
@@ -486,6 +487,73 @@ func TestContainer(t *testing.T) {
 				},
 			},
 		},
+	}, {
+		name: "passing securityContext from EL",
+		el: makeEL(func(el *v1beta1.EventListener) {
+			el.Spec.Resources.KubernetesResource = &v1beta1.KubernetesResource{
+				WithPodSpec: duckv1.WithPodSpec{
+					Template: duckv1.PodSpecable{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{
+								SecurityContext: &corev1.SecurityContext{
+									RunAsNonRoot: ptr.Bool(true),
+								},
+							}},
+						},
+					},
+				},
+			}
+			el.Annotations = map[string]string{
+				triggers.PayloadValidationAnnotation: "false",
+			}
+		}),
+		want: corev1.Container{
+			Name:  "event-listener",
+			Image: DefaultImage,
+			Ports: []corev1.ContainerPort{{
+				ContainerPort: int32(eventListenerContainerPort),
+				Protocol:      corev1.ProtocolTCP,
+			}},
+			Args: []string{
+				"--el-name=" + eventListenerName,
+				"--el-namespace=" + namespace,
+				"--port=" + strconv.Itoa(eventListenerContainerPort),
+				"--readtimeout=" + strconv.FormatInt(DefaultReadTimeout, 10),
+				"--writetimeout=" + strconv.FormatInt(DefaultWriteTimeout, 10),
+				"--idletimeout=" + strconv.FormatInt(DefaultIdleTimeout, 10),
+				"--timeouthandler=" + strconv.FormatInt(DefaultTimeOutHandler, 10),
+				"--httpclient-readtimeout=" + strconv.FormatInt(DefaultHTTPClientReadTimeOut, 10),
+				"--httpclient-keep-alive=" + strconv.FormatInt(DefaultHTTPClientKeepAlive, 10),
+				"--httpclient-tlshandshaketimeout=" + strconv.FormatInt(DefaultHTTPClientTLSHandshakeTimeout, 10),
+				"--httpclient-responseheadertimeout=" + strconv.FormatInt(DefaultHTTPClientResponseHeaderTimeout, 10),
+				"--httpclient-expectcontinuetimeout=" + strconv.FormatInt(DefaultHTTPClientExpectContinueTimeout, 10),
+				"--is-multi-ns=" + strconv.FormatBool(false),
+				"--payload-validation=" + strconv.FormatBool(false),
+				"--cloudevent-uri=",
+			},
+			Env: []corev1.EnvVar{{
+				Name: "K_LOGGING_CONFIG",
+			}, {
+				Name: "K_METRICS_CONFIG",
+			}, {
+				Name: "K_TRACING_CONFIG",
+			}, {
+				Name:  "NAMESPACE",
+				Value: namespace,
+			}, {
+				Name:  "NAME",
+				Value: eventListenerName,
+			}, {
+				Name:  "EL_EVENT",
+				Value: "disable",
+			}, {
+				Name:  "K_SINK_TIMEOUT",
+				Value: strconv.FormatInt(DefaultTimeOutHandler, 10),
+			}},
+			SecurityContext: &corev1.SecurityContext{
+				RunAsNonRoot: ptr.Bool(true),
+			},
+		},
 	}}
 
 	for _, tt := range tests {

pkg/reconciler/eventlistener/resources/deployment.go

@@ -37,15 +37,15 @@ const (
 )
 
 var (
-	baseSecurityPolicy = corev1.PodSecurityContext{
+	baseSecurityPolicy = &corev1.PodSecurityContext{
 		RunAsNonRoot: ptr.Bool(true),
 		SeccompProfile: &corev1.SeccompProfile{
 			Type: corev1.SeccompProfileTypeRuntimeDefault,
 		},
 	}
 )
 
-func getStrongerSecurityPolicy(cfg *config.Config) corev1.PodSecurityContext {
+func getStrongerSecurityPolicy(cfg *config.Config) *corev1.PodSecurityContext {
 	securityContext := baseSecurityPolicy
 	if !cfg.Defaults.IsDefaultRunAsUserEmpty {
 		securityContext.RunAsUser = ptr.Int64(cfg.Defaults.DefaultRunAsUser)
@@ -97,6 +97,7 @@ func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc re
 		}
 	}
 
+	var securityContext *corev1.PodSecurityContext
 	if el.Spec.Resources.KubernetesResource != nil {
 		if el.Spec.Resources.KubernetesResource.Replicas != nil {
 			replicas = el.Spec.Resources.KubernetesResource.Replicas
@@ -121,10 +122,12 @@ func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc re
 		}
 		annotations = el.Spec.Resources.KubernetesResource.Template.Annotations
 		podlabels = kmeta.UnionMaps(podlabels, el.Spec.Resources.KubernetesResource.Template.Labels)
+		if *c.SetSecurityContext {
+			securityContext = el.Spec.Resources.KubernetesResource.Template.Spec.SecurityContext
+		}
 	}
 
-	var securityContext corev1.PodSecurityContext
-	if *c.SetSecurityContext {
+	if *c.SetSecurityContext && securityContext == nil {
 		securityContext = getStrongerSecurityPolicy(cfg)
 	}
 
@@ -147,7 +150,7 @@ func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc re
 					ServiceAccountName:        serviceAccountName,
 					Containers:                []corev1.Container{container},
 					Volumes:                   vol,
-					SecurityContext:           &securityContext,
+					SecurityContext:           securityContext,
 					Affinity:                  affinity,
 					TopologySpreadConstraints: topologySpreadConstraints,
 				},
@@ -176,7 +179,6 @@ func addDeploymentBits(el *v1beta1.EventListener, c Config) (ContainerOption, er
 				container.StartupProbe = el.Spec.Resources.KubernetesResource.Template.Spec.Containers[0].StartupProbe
 			}
 		}
-
 		container.Ports = append(container.Ports, corev1.ContainerPort{
 			ContainerPort: int32(metricsPort),
 			Protocol:      corev1.ProtocolTCP,