Admission Controller refuses PipelineRun created using Tekton Dashboard

[ottlngr]

Expected behavior

A PipelineRun created by using Tekton Dashboard is not rejected by the admission controller when selecting a service account for the PipelineRun.

Actual behaviour

When creating a PipelineRun using Tekton Dashboard for an existing Pipeline, selecting a service account leads the admission controller to reject the PipelineRun with error:

Error creating PipelineRun

{ "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "admission webhook \"webhook.pipeline.tekton.dev\" denied the request: mutation failed: cannot decode incoming new object: json: unknown field \"serviceAccountName\"", "reason": "BadRequest", "code": 400 } (error code 400)

Steps to reproduce the bug

1. Go to /pipelineruns/create and select the Pipeline and the namespace (different from tekton-pipelines) it resides in
2. Selecting a service account for the PipelineRun from the list at Optional values > Service Account
3. Create the Pipeline

Additional info

• Kubernetes version:

  Output of kubectl version:

  Client Version: v1.27.9-dispatcher
  Server Version: v1.27.8-gke.1067004  

• Tekton versions:

  Output of tkn version or

  kubectl get deploy tekton-pipelines-controller -n tekton-pipelines -o=jsonpath="{\"Pipeline version: \"}{.metadata.labels.version}{\"\n\"}"
  
  kubectl get deploy tekton-triggers-controller -n tekton-pipelines -o=jsonpath="{\"Triggers version: \"}{.metadata.labels.version}{\"\n\"}"
  
  kubectl get deploy tekton-dashboard -n tekton-pipelines -o=jsonpath="{\"Dashboard version: \"}{.metadata.labels.version}{\"\n\"}"

  Client version: 0.32.0
  Chains version: v0.19.0
  Pipeline version: v0.53.3
  Triggers version: v0.25.3
  Dashboard version: v0.41.0
  Operator version: v0.69.1

Add any other useful context about the problem here:

• Tekton installed using Tekton operator in namespace tekton-pipelines
• Pipeline resource as well as the respective service account reside in the same but different namespace then tekton-pipelines
• creating a PipelineRun using tkn CLI for the same combination of Pipeline and service accounts succeeds
• I think this is kind of a RBAC problem, but not sure how to tackle it sustainably

[AlanGreene]

Thanks for reporting this @ottlngr, it does indeed look like a bug.

I think this is kind of a RBAC problem, but not sure how to tackle it sustainably

It's not related to RBAC. Instead it's due to differences between the v1beta1 and v1 versions for the PipelineRun resource. See https://tekton.dev/docs/pipelines/pipelineruns/#mapping-serviceaccount-credentials-to-tasks

In v1beta1 the ServiceAccount name is set on spec.serviceAccountName, but in v1 it's spec.taskRunTemplate.serviceAccountName.

The code for import resources already takes this into account but the create PipelineRun does not and will need to be updated to check the version being used.

[AlanGreene]

I've fixed this locally and will get a PR open by end of day. I'll aim to do a patch release early next week. Thanks again for reporting the issue.

[AlanGreene]

@ottlngr In the meantime you can workaround the problem by switching the Dashboard back to use the v1beta1 APIs. You can find the toggle for this on the settings page, Use Tekton Pipelines API version v1, turning this off reverts to v1beta1 where applicable.

[AlanGreene]

This is fixed in Dashboard v0.43.1 LTS, and nightly release v20240205-376e6c2046 or later. This version is included in Operator nightly release v20240208-66069b9d82 or later, and should be included in the next Operator release (v0.70).