Add PodSecurityPolicy access to webhook's clusterrole

Scott · tekton-robot · commit 14a69fc895fd · 2020-05-12T17:18:03.000-04:00
Deploying pipelines 0.12.0 into a cluster with pod security policy
enabled will result in the webhook deployment entering a failed state.
This happens because the webhook does not have the rights to use
pod security policies. In prior versions of Tekton the webhook
shared its clusterrole with the controller, and was granted much
broader permissions. Since 0.12.0 the permissions given to the
controller and webhook have been split. In splitting the permissions
the controller continued to received the PSP "use" permission but
the webhook did not; an oversight.

This commit adds the "use" verb for pod security policies to the
webhook clusterrole.
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -90,3 +90,7 @@ rules:
     # When there are changes to the configs or secrets, knative updates the validatingwebhook config
     # with the updated certificates or the refreshed set of rules.
     verbs: ["get", "update"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]
