In a freshly created OCP Cluster from TechZone, I installed the CloudNative Toolkit as described in the documentation and after creating my first project and running the pipeline, the pipelinerun fails on step build, because this step needs priviledged securityContext for the pipeline ServiceAccount.
asks Completed: 4 (Failed: 1, Cancelled 0), Skipped: 7
failed to create task run pod "cayo-test-3a8kex-build-nft8g": pods "cayo-test-3a8kex-build-nft8g-pod-l75v2" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "sealed-secrets-sealed-secrets-anyuid": Forbidden: not usable by user or serviceaccount, provider "tools-artifactory-artifactory-anyuid": Forbidden: not usable by user or serviceaccount, provider "tools-sonarqube-anyuid": Forbidden: not usable by user or serviceaccount, provider "ibm-restricted-scc": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-scc": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostpath-scc": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "cntk-ocp-userspaces-daemonset-privileged": Forbidden: not usable by user or serviceaccount, provider "ibm-privileged-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "tools-artifactory-artifactory-privileged": Forbidden: not usable by user or serviceaccount, provider "tools-sonarqube-privileged": Forbidden: not usable by user or serviceaccount]. Maybe missing or invalid Task cayo-test/ibm-build-tag-push-v2-7-7
In a freshly created OCP Cluster from TechZone, I installed the CloudNative Toolkit as described in the documentation and after creating my first project and running the pipeline, the pipelinerun fails on step build, because this step needs priviledged securityContext for the pipeline ServiceAccount.
As a solution, the following had to be executed:
I would expect the Toolkit creates this privileged policy itself, since it also creates the subscription to the Pipelines Operators.