🔥 Apply carried patches.

.ko.yaml

@@ -1,2 +1,2 @@
 # Use :nonroot base image for all containers
-defaultBaseImage: gcr.io/distroless/static:nonroot
+defaultBaseImage: registry.access.redhat.com/ubi8/ubi-minimal:latest

config/brokers/mt-channel-broker/deployments/broker-filter.yaml

@@ -100,8 +100,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
 ---
 

config/brokers/mt-channel-broker/deployments/broker-ingress.yaml

@@ -100,8 +100,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
 ---
 

config/brokers/mt-channel-broker/deployments/controller.yaml

@@ -79,8 +79,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
         ports:
         - name: metrics

config/channels/in-memory-channel/deployments/controller.yaml

@@ -77,8 +77,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
         ports:
         - name: metrics

config/channels/in-memory-channel/deployments/dispatcher.yaml

@@ -97,5 +97,3 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault

config/core/configmaps/sugar.yaml

@@ -23,33 +23,13 @@ metadata:
   annotations:
     knative.dev/example-checksum: "62dfac6f"
 data:
-  _example: |
-    ################################
-    #                              #
-    #    EXAMPLE CONFIGURATION     #
-    #                              #
-    ################################
-    # This block is not actually functional configuration,
-    # but serves to illustrate the available configuration
-    # options and document them in a way that is accessible
-    # to users that `kubectl edit` this config map.
-    #
-    # These sample configuration options may be copied out of
-    # this example block and unindented to be in the data block
-    # to actually change the configuration.
-
-    # namespace-selector specifies a LabelSelector which
-    # determines which namespaces the Sugar Controller should operate upon
-    # Use an empty value to disable the feature (this is the default):
-    namespace-selector: ""
-
-    # Use an empty object as a string to enable for all namespaces
-    namespace-selector: "{}"
-
-    # trigger-selector specifies a LabelSelector which
-    # determines which triggers the Sugar Controller should operate upon
-    # Use an empty value to disable the feature (this is the default):
-    trigger-selector: ""
-
-    # Use an empty object as string to enable for all triggers
-    trigger-selector: "{}"
+  namespace-selector: |
+    matchExpressions:
+    - key: "eventing.knative.dev/injection"
+      operator: "In"
+      values: ["enabled"]
+  trigger-selector: |
+    matchExpressions:
+    - key: "eventing.knative.dev/injection"
+      operator: "In"
+      values: ["enabled"]

config/core/deployments/controller.yaml

@@ -95,8 +95,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
         livenessProbe:
           httpGet:

config/core/deployments/pingsource-mt-adapter.yaml

@@ -97,7 +97,5 @@ spec:
             capabilities:
               drop:
               - ALL
-            seccompProfile:
-              type: RuntimeDefault
 
       serviceAccountName: pingsource-mt-adapter

config/core/deployments/webhook-hpa.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: autoscaling/v2
+apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
   name: eventing-webhook
@@ -47,7 +47,7 @@ metadata:
     app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-eventing
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: eventing-webhook

config/core/deployments/webhook.yaml

@@ -86,7 +86,7 @@ spec:
           # will NOT be considered by the sinkbinding webhook.
           # The default is `exclusion`.
         - name: SINK_BINDING_SELECTION_MODE
-          value: "exclusion"
+          value: "inclusion"
         - name: POD_NAME
           valueFrom:
             fieldRef:
@@ -99,8 +99,6 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault
 
         ports:
         - name: https-webhook

config/openshift-serverless-view-eventing-configmaps.yaml

@@ -0,0 +1,41 @@
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: knative-eventing
+  name: openshift-serverless-view-eventing-configmaps
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openshift-serverless-view-eventing-configmaps
+  namespace: knative-eventing
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-serverless-view-eventing-configmaps

config/openshift-trusted-cabundle.yaml

@@ -0,0 +1,23 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-openshift-trusted-cabundle
+  namespace: knative-eventing
+  labels:
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+    config.openshift.io/inject-trusted-cabundle: "true"

config/post-install/storage-version-migrator.yaml

@@ -60,5 +60,3 @@ spec:
             capabilities:
               drop:
               - ALL
-            seccompProfile:
-              type: RuntimeDefault

config/tools/appender/appender.yaml

@@ -34,5 +34,3 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault

config/tools/event-display/event-display.yaml

@@ -31,5 +31,3 @@ spec:
           capabilities:
             drop:
             - ALL
-          seccompProfile:
-            type: RuntimeDefault

config/tools/heartbeats/heartbeats.yaml

@@ -34,8 +34,6 @@ spec:
             capabilities:
               drop:
               - ALL
-            seccompProfile:
-              type: RuntimeDefault
 
   sink:
     ref:

config/tools/recordevents/recordevents.yaml

@@ -44,5 +44,3 @@ spec:
         capabilities:
           drop:
           - ALL
-        seccompProfile:
-          type: RuntimeDefault

config/tools/websocket-source/websocket-source.yaml

@@ -30,8 +30,6 @@ spec:
             capabilities:
               drop:
               - ALL
-            seccompProfile:
-              type: RuntimeDefault
 
   sink:
     ref:

openshift/ci-operator/build-image/Dockerfile

@@ -0,0 +1,28 @@
+# DO NOT EDIT! Generated Dockerfile.
+
+# Dockerfile to bootstrap build and test in openshift-ci
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+RUN echo "[kubernetes]" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "name=Kubernetes" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "enabled=1" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "gpgcheck=1" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "repo_gpgcheck=0" >> /etc/yum.repos.d/kubernetes.repo && \
+    echo "gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg" >> /etc/yum.repos.d/kubernetes.repo
+
+RUN yum install -y kubectl httpd-tools
+
+RUN wget https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
+    chmod 700 ./get-helm-3
+
+RUN ./get-helm-3 --version v3.11.3 --no-sudo && helm version
+
+RUN GOFLAGS='' go install github.com/mikefarah/yq/v3@latest
+
+# go install creates $GOPATH/.cache with root permissions, we delete it here
+# to avoid permission issues with the runtime users
+RUN rm -rf $GOPATH/.cache
+
+# Allow runtime users to add entries to /etc/passwd
+RUN chmod g+rw /etc/passwd

openshift/ci-operator/knative-images/apiserver_receive_adapter/Dockerfile

@@ -0,0 +1,20 @@
+# DO NOT EDIT! Generated Dockerfile for cmd/apiserver_receive_adapter.
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+COPY . .
+
+RUN mkdir -p /var/run/ko && \
+    mkdir -p cmd/apiserver_receive_adapter/kodata && \
+    go build -o /usr/bin/main ./cmd/apiserver_receive_adapter && \
+    cp -r cmd/apiserver_receive_adapter/kodata /var/run/ko
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+# install the missing zoneinfo to ubi-minimal
+RUN microdnf install tzdata
+
+USER 65532
+
+COPY --from=builder /usr/bin/main /usr/bin/main
+COPY --from=builder /var/run/ko /var/run/ko
+ENTRYPOINT ["/usr/bin/main"]

openshift/ci-operator/knative-images/appender/Dockerfile

@@ -0,0 +1,20 @@
+# DO NOT EDIT! Generated Dockerfile for cmd/appender.
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+COPY . .
+
+RUN mkdir -p /var/run/ko && \
+    mkdir -p cmd/appender/kodata && \
+    go build -o /usr/bin/main ./cmd/appender && \
+    cp -r cmd/appender/kodata /var/run/ko
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+# install the missing zoneinfo to ubi-minimal
+RUN microdnf install tzdata
+
+USER 65532
+
+COPY --from=builder /usr/bin/main /usr/bin/main
+COPY --from=builder /var/run/ko /var/run/ko
+ENTRYPOINT ["/usr/bin/main"]

openshift/ci-operator/knative-images/channel_controller/Dockerfile

@@ -0,0 +1,20 @@
+# DO NOT EDIT! Generated Dockerfile for cmd/in_memory/channel_controller.
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+COPY . .
+
+RUN mkdir -p /var/run/ko && \
+    mkdir -p cmd/in_memory/channel_controller/kodata && \
+    go build -o /usr/bin/main ./cmd/in_memory/channel_controller && \
+    cp -r cmd/in_memory/channel_controller/kodata /var/run/ko
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+# install the missing zoneinfo to ubi-minimal
+RUN microdnf install tzdata
+
+USER 65532
+
+COPY --from=builder /usr/bin/main /usr/bin/main
+COPY --from=builder /var/run/ko /var/run/ko
+ENTRYPOINT ["/usr/bin/main"]

openshift/ci-operator/knative-images/channel_dispatcher/Dockerfile

@@ -0,0 +1,20 @@
+# DO NOT EDIT! Generated Dockerfile for cmd/in_memory/channel_dispatcher.
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+COPY . .
+
+RUN mkdir -p /var/run/ko && \
+    mkdir -p cmd/in_memory/channel_dispatcher/kodata && \
+    go build -o /usr/bin/main ./cmd/in_memory/channel_dispatcher && \
+    cp -r cmd/in_memory/channel_dispatcher/kodata /var/run/ko
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+# install the missing zoneinfo to ubi-minimal
+RUN microdnf install tzdata
+
+USER 65532
+
+COPY --from=builder /usr/bin/main /usr/bin/main
+COPY --from=builder /var/run/ko /var/run/ko
+ENTRYPOINT ["/usr/bin/main"]

openshift/ci-operator/knative-images/controller/Dockerfile

@@ -0,0 +1,20 @@
+# DO NOT EDIT! Generated Dockerfile for cmd/controller.
+FROM registry.ci.openshift.org/openshift/release:golang-1.19 as builder
+
+COPY . .
+
+RUN mkdir -p /var/run/ko && \
+    mkdir -p cmd/controller/kodata && \
+    go build -o /usr/bin/main ./cmd/controller && \
+    cp -r cmd/controller/kodata /var/run/ko
+
+FROM registry.access.redhat.com/ubi8/ubi-minimal
+
+# install the missing zoneinfo to ubi-minimal
+RUN microdnf install tzdata
+
+USER 65532
+
+COPY --from=builder /usr/bin/main /usr/bin/main
+COPY --from=builder /var/run/ko /var/run/ko
+ENTRYPOINT ["/usr/bin/main"]