Do not propagate managed-by annotation to Pods

Let's make sure we are not propagating `app.kubernetes.io/managed-by`
annotation to Pods. Doing it can lead to weird behavior, for example
with applied with Helm, or if some admission controller is looking for
pipeline's Pods and do not get it if the `TaskRun` or `PipelineRun`
was created with an `app.kubernetes.io/managed-by`.

Signed-off-by: Vincent Demeester <[email protected]>

Author: vdemeester

pkg/pod/pod.go

@@ -33,6 +33,7 @@ import (
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/internal/computeresources/tasklevel"
 	"github.com/tektoncd/pipeline/pkg/names"
+	tknreconciler "github.com/tektoncd/pipeline/pkg/reconciler"
 	"github.com/tektoncd/pipeline/pkg/spire"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -41,6 +42,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/utils/strings/slices"
 	"knative.dev/pkg/changeset"
+	"knative.dev/pkg/kmap"
 	"knative.dev/pkg/kmeta"
 )
 
@@ -159,6 +161,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 	enableKeepPodOnCancel := featureFlags.EnableKeepPodOnCancel
 	setSecurityContext := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContext
 	setSecurityContextReadOnlyRootFilesystem := config.FromContextOrDefaults(ctx).FeatureFlags.SetSecurityContextReadOnlyRootFilesystem
+	defaultManagedByLabelValue := config.FromContextOrDefaults(ctx).Defaults.DefaultManagedByLabelValue
 
 	// Add our implicit volumes first, so they can be overridden by the user if they prefer.
 	volumes = append(volumes, implicitVolumes...)
@@ -459,7 +462,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 		priorityClassName = *podTemplate.PriorityClassName
 	}
 
-	podAnnotations := kmeta.CopyMap(taskRun.Annotations)
+	podAnnotations := kmap.ExcludeKeys(kmeta.CopyMap(taskRun.Annotations), tknreconciler.KubernetesManagedByAnnotationKey)
 	podAnnotations[ReleaseAnnotation] = changeset.Get()
 
 	if readyImmediately {
@@ -491,7 +494,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 				*metav1.NewControllerRef(taskRun, groupVersionKind),
 			},
 			Annotations: podAnnotations,
-			Labels:      makeLabels(taskRun),
+			Labels:      makeLabels(taskRun, defaultManagedByLabelValue),
 		},
 		Spec: corev1.PodSpec{
 			RestartPolicy:                corev1.RestartPolicyNever,
@@ -529,7 +532,7 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1.TaskRun, taskSpec v1.Ta
 }
 
 // makeLabels constructs the labels we will propagate from TaskRuns to Pods.
-func makeLabels(s *v1.TaskRun) map[string]string {
+func makeLabels(s *v1.TaskRun, defaultManagedByLabelValue string) map[string]string {
 	labels := make(map[string]string, len(s.ObjectMeta.Labels)+1)
 	// NB: Set this *before* passing through TaskRun labels. If the TaskRun
 	// has a managed-by label, it should override this default.
@@ -543,6 +546,8 @@ func makeLabels(s *v1.TaskRun) map[string]string {
 	// specifies this label, it should be overridden by this value.
 	labels[pipeline.TaskRunLabelKey] = s.Name
 	labels[pipeline.TaskRunUIDLabelKey] = string(s.UID)
+	// Enforce app.kubernetes.io/managed-by to be the value configured
+	labels[tknreconciler.KubernetesManagedByAnnotationKey] = defaultManagedByLabelValue
 	return labels
 }
 

pkg/pod/pod_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod"
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
+	tknreconciler "github.com/tektoncd/pipeline/pkg/reconciler"
 	"github.com/tektoncd/pipeline/pkg/spire"
 	"github.com/tektoncd/pipeline/test/diff"
 	"github.com/tektoncd/pipeline/test/names"
@@ -2621,6 +2622,7 @@ _EOF_
 			} else {
 				trAnnotations = c.trAnnotation
 				trAnnotations[ReleaseAnnotation] = fakeVersion
+
 			}
 			testTaskRunName := taskRunName
 			if c.trName != "" {
@@ -3256,6 +3258,7 @@ func TestMakeLabels(t *testing.T) {
 		"foo":                       "bar",
 		"hello":                     "world",
 		pipeline.TaskRunUIDLabelKey: string(taskRunUID),
+		tknreconciler.KubernetesManagedByAnnotationKey: "foo",
 	}
 	got := makeLabels(&v1.TaskRun{
 		ObjectMeta: metav1.ObjectMeta{
@@ -3266,7 +3269,7 @@ func TestMakeLabels(t *testing.T) {
 				"hello": "world",
 			},
 		},
-	})
+	}, "foo")
 	if d := cmp.Diff(want, got); d != "" {
 		t.Errorf("Diff labels %s", diff.PrintWantGot(d))
 	}

pkg/reconciler/constant.go

@@ -19,4 +19,7 @@ package reconciler
 const (
 	// KubectlLastAppliedAnnotationKey is the key used by kubectl to store its last applied configuration (using kubectl apply)
 	KubectlLastAppliedAnnotationKey = "kubectl.kubernetes.io/last-applied-configuration"
+
+	// KubernetesLastAppliedAnnotationKey is the key used by tools to tell who is managing an object
+	KubernetesManagedByAnnotationKey = "app.kubernetes.io/managed-by"
 )