tektoncd · dicarlo2 · Apr 4, 2019
diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -51,6 +51,9 @@ following fields:
   - [`affinity`] - The pod's scheduling constraints. More info:
 
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common
+    container settings. Defaults to empty. See type description for default
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields

diff --git a/docs/taskruns.md b/docs/taskruns.md
@@ -60,6 +60,9 @@ following fields:
     <https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/>
   - [`affinity`] - the pod's scheduling constraints. More info:
     <https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature>
+  - [`securityContext`] - holds pod-level security attributes and common 
+    container settings. Defaults to empty. See type description for default 
+    values of each field.
 
 [kubernetes-overview]:
   https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields

diff --git a/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go b/pkg/apis/pipeline/v1alpha1/pipelinerun_types.go
@@ -68,6 +68,10 @@ type PipelineRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // PipelineRunSpecStatus defines the pipelinerun spec status the user can provide

diff --git a/pkg/apis/pipeline/v1alpha1/taskrun_types.go b/pkg/apis/pipeline/v1alpha1/taskrun_types.go
@@ -64,6 +64,10 @@ type TaskRunSpec struct {
 	// If specified, the pod's scheduling constraints
 	// +optional
 	Affinity *corev1.Affinity `json:"affinity,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // TaskRunSpecStatus defines the taskrun spec status the user can provide

diff --git a/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go b/pkg/reconciler/v1alpha1/pipelinerun/pipelinerun.go
@@ -481,11 +481,12 @@ func (c *Reconciler) createTaskRun(logger *zap.SugaredLogger, rprt *resources.Re
 			Inputs: v1alpha1.TaskRunInputs{
 				Params: rprt.PipelineTask.Params,
 			},
-			ServiceAccount: pr.Spec.ServiceAccount,
-			Timeout:        taskRunTimeout,
-			NodeSelector:   pr.Spec.NodeSelector,
-			Tolerations:    pr.Spec.Tolerations,
-			Affinity:       pr.Spec.Affinity,
+			ServiceAccount:  pr.Spec.ServiceAccount,
+			Timeout:         taskRunTimeout,
+			NodeSelector:    pr.Spec.NodeSelector,
+			Tolerations:     pr.Spec.Tolerations,
+			Affinity:        pr.Spec.Affinity,
+			SecurityContext: pr.Spec.SecurityContext,
 		}}
 
 	resources.WrapSteps(&tr.Spec, rprt.PipelineTask, rprt.ResolvedTaskResources.Inputs, rprt.ResolvedTaskResources.Outputs, storageBasePath)

diff --git a/pkg/reconciler/v1alpha1/taskrun/resources/pod.go b/pkg/reconciler/v1alpha1/taskrun/resources/pod.go
@@ -341,6 +341,7 @@ func MakePod(taskRun *v1alpha1.TaskRun, taskSpec v1alpha1.TaskSpec, kubeclient k
 			NodeSelector:       taskRun.Spec.NodeSelector,
 			Tolerations:        taskRun.Spec.Tolerations,
 			Affinity:           taskRun.Spec.Affinity,
+			SecurityContext:    taskRun.Spec.SecurityContext,
 		},
 	}, nil
 }

diff --git a/test/builder/pipeline.go b/test/builder/pipeline.go
@@ -338,6 +338,13 @@ func PipelineRunAffinity(affinity *corev1.Affinity) PipelineRunSpecOp {
 	}
 }
 
+// PipelineRunSecurityContext sets the securityContext to the PipelineSpec.
+func PipelineRunSecurityContext(securityContext *corev1.PodSecurityContext) PipelineRunSpecOp {
+	return func(prs *v1alpha1.PipelineRunSpec) {
+		prs.SecurityContext = securityContext
+	}
+}
+
 // PipelineRunStatus sets the PipelineRunStatus to the PipelineRun.
 // Any number of PipelineRunStatus modifier can be passed to transform it.
 func PipelineRunStatus(ops ...PipelineRunStatusOp) PipelineRunOp {

diff --git a/test/builder/task.go b/test/builder/task.go
@@ -355,6 +355,13 @@ func TaskRunAffinity(affinity *corev1.Affinity) TaskRunSpecOp {
 	}
 }
 
+// TaskRunSecurityContext sets the SecurityContext to the PipelineSpec.
+func TaskRunSecurityContext(securityContext *corev1.PodSecurityContext) TaskRunSpecOp {
+	return func(spec *v1alpha1.TaskRunSpec) {
+		spec.SecurityContext = securityContext
+	}
+}
+
 // StateTerminated set Terminated to the StepState.
 func StateTerminated(exitcode int) StepStateOp {
 	return func(s *v1alpha1.StepState) {