eldeployment: remove securityContext.runAsUser

[zhouhaibing089]

The setting on securityContext.runAsUser is redundant. The container
runtime determines which user to run based on image config and thus uses
65532 by default.

Furthermore, some kubernetes distributions randomizes runAsUser id
according to their security policies(for e.g, openshift enables per
application uid range), and when that happens, the uid can be set to
something else.

$ crane config gcr.io/distroless/static:nonroot | jq .
{
  "architecture": "amd64",
  "author": "Bazel",
  "created": "1970-01-01T00:00:00Z",
  "history": [
    {
      "author": "Bazel",
      "created": "1970-01-01T00:00:00Z",
      "created_by": "bazel build ..."
    }
  ],
  "os": "linux",
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:07363fa8421000ad294c2881d17b0535aabdd17ced2a874eb354a9d8514d3d59"
    ]
  },
  "config": {
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
    ],
    "User": "65532",
    "WorkingDir": "/home/nonroot"
  }
}

See config.User on its default configuration.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

NONE

[tekton-robot]

Hi @zhouhaibing089. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[savitaashture]

/ok-to-test

[zhouhaibing089]

/retest

[dibyom]

/cc @khrm

[vdemeester]

Furthermore, some kubernetes distributions randomizes runAsUser id
according to their security policies(for e.g, openshift enables per
application uid range), and when that happens, the uid can be set to
something else.

Indeed. Because of this, we do patch this on release on OpenShift. Removing this would remove one of our patch 🙃 . I think it predates distroless images using that user.
(Note that we should do the same on tektoncd/pipeline and maybe tektoncd/operator)

[gabemontero]

Furthermore, some kubernetes distributions randomizes runAsUser id
according to their security policies(for e.g, openshift enables per
application uid range), and when that happens, the uid can be set to
something else.

Indeed. Because of this, we do patch this on release on OpenShift. Removing this would remove one of our patch upside_down_face . I think it predates distroless images using that user.
(Note that we should do the same on tektoncd/pipeline and maybe tektoncd/operator)

Yep I mentioned consistency with the other repos in the slack conversation around this that occurred (last week I believe)

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: savitaashture

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [savitaashture]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[khrm]

/lgtm