fix securitycontext

kubealex · kubealex · commit eb93d53742c1 · 2025-05-29T09:36:29.000+02:00
diff --git a/task-bootc-image-builder.yml b/task-bootc-image-builder.yml
@@ -130,9 +130,6 @@ spec:
 
       securityContext:
         privileged: true
-        capabilities:
-          add:
-            - SETFCAP
       volumeMounts:
         - mountPath: /var/lib/containers
           name: varlibcontainers
diff --git a/task-image-build.yml b/task-image-build.yml
@@ -95,9 +95,6 @@ spec:
         done
 
       securityContext:
-        capabilities:
-          add:
-            - SETFCAP
         privileged: true
       volumeMounts:
         - mountPath: /var/lib/containers
diff --git a/task-image-sign.yml b/task-image-sign.yml
@@ -66,9 +66,6 @@ spec:
         done
 
       securityContext:
-        capabilities:
-          add:
-            - SETFCAP
         privileged: true
       workingDir: $(workspaces.main-workspace.path)
       env:
diff --git a/task-kubevirt-image.yml b/task-kubevirt-image.yml
@@ -16,11 +16,7 @@ spec:
         ADD --chown=107:107 ./output/qcow2/disk.qcow2 /disk/
         EOF
       securityContext:
-        capabilities:
-          add:
-            - SETFCAP
         privileged: true
       workingDir: $(workspaces.main-workspace.path)
   workspaces:
     - name: main-workspace
-
diff --git a/trigger-template-bootc-image-builder.yml b/trigger-template-bootc-image-builder.yml
@@ -39,13 +39,22 @@ spec:
             value: true
           - name: LOGICALLY_BOUND_IMAGES
             value: quay.io/kubealex/tailwind-pos:latest
-        taskRunTemplate:
-          podTemplate:
-            securityContext:
-              runAsNonRoot: false
-              runAsUser: 0
-              fsGroup: 65532
-          serviceAccountName: default
+        podTemplate:
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+        taskRunSpecs:
+          - pipelineTaskName: git-clone
+            podTemplate:
+              securityContext:
+                fsGroup: 65532
+        # taskRunTemplate:
+        #   podTemplate:
+        #     securityContext:
+        #       runAsNonRoot: false
+        #       runAsUser: 0
+        #       fsGroup: 65532
+        #   serviceAccountName: default
         workspaces:
           - name: main-workspace
             volumeClaimTemplate:
