Propagate securityContext to Affinity Assistant

[gosharplite]

Expected Behavior

Affinity Assistant pod should work in a cluster with psp setting.

Actual Behavior

Affinity Assistant pod won't start since it is trying to run as root.

Steps to Reproduce the Problem

1. Set a cluster with restricted psp.
2. Start pipelinerun with pv/pvc.
3. Affinity Assistant pod won't start.

Additional Info

• Kubernetes version:

  Output of kubectl version:

  Client Version: v1.16.6
  Server Version: v1.17.4
  

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

  Client version: 0.11.0
  Pipeline version: v0.14.0
  Triggers version: v0.6.0
  

In a cluster with psp enforcement, Affinity Assistant pod will not start unless there is a way to set securityContext.

Below pipelinerun yaml used to work, if the securityContext section can be propagated to Affinity Assistant, it should just work.

I can't find a way to set the securityContext of Affinity Assistant, the workaround seems to use disable-affinity-assistant.

apiVersion: tekton.dev/v1beta1 
kind: PipelineRun              
metadata:
  name: kpt-fn-porting         
spec:
  serviceAccountName: porting  
  pipelineRef:                 
    name: kpt-fn-porting
  workspaces:
  - name: shared-workspace
    persistentVolumeClaim:
      claimName: tekton-porting
  podTemplate:
    nodeSelector:              
      cloudnative.com/district: hk-able
    securityContext:           
      runAsNonRoot: true
      runAsUser: 1001

[gosharplite]

Even disable-affinity-assistant is set to true, the affinity assistant pod still appear and block the pipelinerun.

$ kubectl describe pod/affinity-assistant-5bcba4959e-0
Events:
  Type     Reason                  Age              From                           Message
  ----     ------                  ----             ----                           -------
  Normal   Scheduled               <unknown>        default-scheduler              Successfully assigned tekton-sandbox/affinity-assistant-5bcba4959e-0 to hk-cn-worker-node-03
  Normal   SuccessfulAttachVolume  17s              attachdetach-controller        AttachVolume.Attach succeeded for volume "pvc-4da5fcd2-b609-46bc-94ca-28e2f0727107"
  Normal   Pulled                  0s (x3 over 2s)  kubelet, hk-cn-worker-node-03  Container image "nginx@sha256:c870bf53de0357813af37b9500cb1c2ff9fb4c00120d5fe1d75c21591293c34d" already present on machine
  Warning  Failed                  0s (x3 over 2s)  kubelet, hk-cn-worker-node-03  Error: container has runAsNonRoot and image will run as root

$ kubectl get -o yaml cm feature-flags
apiVersion: v1
data:
  disable-affinity-assistant: "true"
  disable-home-env-overwrite: "false"
  disable-working-directory-overwrite: "false"
  running-in-environment-with-injected-sidecars: "true"
kind: ConfigMap
metadata:
  name: feature-flags
  namespace: tekton-pipelines

[gosharplite]

Latest pipeline release has been used now.

$ tkn version
Client version: 0.11.0
Pipeline version: v0.14.2
Triggers version: v0.6.0

[jlpettersson]

Even disable-affinity-assistant is set to true, the affinity assistant pod still appear and block the pipelinerun.

$ kubectl describe pod/affinity-assistant-5bcba4959e-0
Events:
  Type     Reason                  Age              From                           Message
  ----     ------                  ----             ----                           -------
  Normal   Scheduled               <unknown>        default-scheduler              Successfully assigned tekton-sandbox/affinity-assistant-5bcba4959e-0 to hk-cn-worker-node-03
  Normal   SuccessfulAttachVolume  17s              attachdetach-controller        AttachVolume.Attach succeeded for volume "pvc-4da5fcd2-b609-46bc-94ca-28e2f0727107"
  Normal   Pulled                  0s (x3 over 2s)  kubelet, hk-cn-worker-node-03  Container image "nginx@sha256:c870bf53de0357813af37b9500cb1c2ff9fb4c00120d5fe1d75c21591293c34d" already present on machine
  Warning  Failed                  0s (x3 over 2s)  kubelet, hk-cn-worker-node-03  Error: container has runAsNonRoot and image will run as root

$ kubectl get -o yaml cm feature-flags
apiVersion: v1
data:
  disable-affinity-assistant: "true"
  disable-home-env-overwrite: "false"
  disable-working-directory-overwrite: "false"
  running-in-environment-with-injected-sidecars: "true"
kind: ConfigMap
metadata:
  name: feature-flags
  namespace: tekton-pipelines

Yes, there is a bug in 0.14.0, 0.14.1 and 0.14.2 with the handling of the ConfigMap for those feature-flags, as noted in #2979 There will be a 0.14.3 soon that fixes that problem.

[gosharplite]

Thank you!
I missed #2979.

[gosharplite]

Using latest release and disabling Affinity Assistant, pipelinerun is working again.

$ tkn version
Client version: 0.11.0
Pipeline version: v0.14.3
Triggers version: v0.6.1

$ tkn pipelinerun list
NAME             STARTED         DURATION   STATUS
kpt-fn-porting   4 minutes ago   1 minute   Succeeded

[gosharplite]

Please consider scenario with psp enforcement.

Closing this issue and thank you!