fix(manifests): Update manifests to make it work on both k8s and open…

…shift (#1239)

* refactor manifests to separate k8s and openshift deployment

* update install readme

* fix lint

guides/kfp_tekton_install.md

@@ -26,7 +26,7 @@ A Kubernetes cluster `v1.23` that has least 8 vCPU and 16 GB memory.
 
    Depending on your situation, you can choose between the two approaches to set up the pipeline engine on Openshift:
    1. Using [OpenShift Pipelines](https://docs.openshift.com/container-platform/4.12/cicd/pipelines/installing-pipelines.html) (built on Tekton), follow the [Standalone Kubeflow Pipelines with Openshift Pipelines Backend Deployment](#standalone-kubeflow-pipelines-with-openshift-pipelines-backend-deployment)
-   2. Using [Tekton on Openshift](https://github.com/tektoncd/pipeline/blob/v0.44.2/docs/install.md#installing-tekton-pipelines-on-openshift), follow the [Standalone Kubeflow Pipelines with Tekton Backend Deployment](#standalone-kubeflow-pipelines-with-tekton-backend-deployment) to install the Kubeflow Pipeline Stack.
+   2. Using [Tekton on Openshift](https://github.com/tektoncd/pipeline/blob/v0.44.2/docs/install.md#installing-tekton-pipelines-on-openshift), follow the [Standalone Kubeflow Pipelines with Tekton Backend Deployment](#standalone-kubeflow-pipelines-with-tekton-backend-deployment) to install the Kubeflow Pipeline Stack. Note the current Tekton Open Source deployment for [Openshift doesn't work out of the box](https://github.com/tektoncd/pipeline/issues/3452), so we strongly recommend to deploy with Opneshift Pipelines (see above) if you want to run Kubeflow Pipelines on Openshift.
 
 ### Other Cloud Providers or On-Prem Kubernetes Deployment
 
@@ -83,7 +83,8 @@ To install the standalone Kubeflow Pipelines with Tekton, run the following step
 
 7. (OpenShift only) If you are running the standalone KFP-Tekton on OpenShift, apply the necessary security context constraint below
    ```shell
-   oc apply -k manifests/kustomize/third-party/openshift/standalone
+   curl -L https://raw.githubusercontent.com/kubeflow/kfp-tekton/master/install/v1.7.0/kfp-tekton.yaml | yq 'del(.spec.template.spec.containers[].securityContext.runAsUser, .spec.template.spec.containers[].securityContext.runAsGroup)' | oc apply -f -
+   oc apply -k https://github.com/kubeflow/kfp-tekton//manifests/kustomize/third-party/openshift/standalone
    oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller
    oc adm policy add-scc-to-user anyuid -z tekton-pipelines-webhook
    ```

install/v1.6.5/kfp-tekton.yaml

@@ -3107,7 +3107,9 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       serviceAccountName: tekton-pipelineloop-controller
@@ -3179,7 +3181,9 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       serviceAccountName: tekton-pipelineloop-webhook

install/v1.6.6/kfp-tekton.yaml

@@ -3107,7 +3107,9 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       serviceAccountName: tekton-pipelineloop-controller
@@ -3179,7 +3181,9 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
       serviceAccountName: tekton-pipelineloop-webhook

manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml

@@ -5,3 +5,17 @@ resources:
   - ../tekton-custom-task
 
 namespace: openshift-pipelines
+
+patches:
+- path: pipelineloop-controller-patch.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: tekton-pipelineloop-controller
+    version: v1
+- path: pipelineloop-webhook-patch.yaml
+  target:
+    group: apps
+    kind: Deployment
+    name: tekton-pipelineloop-webhook
+    version: v1

manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-controller-patch.yaml

@@ -0,0 +1,4 @@
+- op: remove
+  path: /spec/template/spec/containers/0/securityContext/runAsGroup
+- op: remove
+  path: /spec/template/spec/containers/0/securityContext/runAsUser

manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-webhook-patch.yaml

@@ -0,0 +1,4 @@
+- op: remove
+  path: /spec/template/spec/containers/0/securityContext/runAsGroup
+- op: remove
+  path: /spec/template/spec/containers/0/securityContext/runAsUser

manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml

@@ -59,6 +59,8 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault

manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml

@@ -69,7 +69,9 @@ spec:
           capabilities:
             drop:
             - ALL
+          runAsGroup: 65532
           runAsNonRoot: true
+          runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
 ---