Task mutated to include runAsUser fails to copy credentials

[mlbiam]

Expected Behavior

We are using GateKeeper to enforce pod security policies in a KinD cluster (1.21.1). A mutating webhook adds runAsUser, runAsGroup, and fsUser to all containers and initContainers if one isn't present. When our Pipeline launches we expect everything to run.

Actual Behavior

our pipelines show:

$ tkn pipelinerun logs build-hello-pipeline-run -n python-hello-build
Pipeline still running ...
task generate-image-tag has failed: "step-git-source-git-resource-5s5r8" exited with code 1 (image: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:39b53980b255ef8af80086ac702f5b113d32f60cc4c8876b096ba37fc5912c81"); for logs run: kubectl -n python-hello-build logs build-hello-pipeline-run-generate-image-tag-4r659-pod-kq5dv -c step-git-source-git-resource-5s5r8

[generate-image-tag : create-dir-result-image-njhbx] 2021/09/28 18:48:27 warning: unsuccessful cred copy: ".ssh" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.ssh: permission denied

Steps to Reproduce the Problem

1. Deploy GateKeeper
2. Deploy mutations (https://github.com/PacktPublishing/Kubernetes---An-Enterprise-Guide-2E/blob/main/chapter9/default_mutations.yaml)
3. Create and run a pipeline

Additional Info

• Kubernetes version:

  Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:38:50Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-21T23:01:33Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

• Tekton Pipeline version:

Client version: 0.20.0
Pipeline version: v0.28.0
Triggers version: v0.16.0

Here's the complete Pod listing:

kubectl get pods -n python-hello-build -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: Pod
  metadata:
    annotations:
      cni.projectcalico.org/podIP: 10.240.189.136/32
      cni.projectcalico.org/podIPs: 10.240.189.136/32
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"tekton.dev/v1beta1","kind":"Task","metadata":{"annotations":{},"name":"generate-image-tag","namespace":"python-hello-build"},"spec":{"resources":{"inputs":[{"name":"git-resource","type":"git"}],"outputs":[{"name":"result-image","type":"image"}]},"results":[{"description":"the image url including the tag with the current timestamp","name":"image-url"},{"description":"the tag associated with the latest commit","name":"commit-tag"}],"steps":[{"env":[{"name":"HOME","value":"/usr/local/gituser"}],"image":"docker.apps.192-168-2-119.nip.io/gitcommit/gitcommit","name":"create-image-tag","script":"#!/usr/bin/env bash\necho \"home dir '$HOME'\"\nexport IMAGE_TAG=$(date +\"%m%d%Y%H%M%S\")\necho -n \"$(resources.outputs.result-image.url):$IMAGE_TAG\" \u003e /tekton/results/image-url\necho \"'$(cat /tekton/results/image-url)'\"\n\ncd $(resources.inputs.git-resource.path)\nRESULT_SHA=\"$(git rev-parse HEAD | tr -d '\\n')\"\necho \"Last commit : $RESULT_SHA\"\necho -n \"$RESULT_SHA\" \u003e /tekton/results/commit-tag","securityContext":{"runAsGroup":0,"runAsUser":431}}]}}
      pipeline.tekton.dev/release: adaae90
      tekton.dev/ready: READY
    creationTimestamp: "2021-09-28T18:28:04Z"
    labels:
      app.kubernetes.io/managed-by: tekton-pipelines
      tekton.dev/memberOf: tasks
      tekton.dev/pipeline: build-hello-pipeline
      tekton.dev/pipelineRun: build-hello-pipeline-run
      tekton.dev/pipelineTask: generate-image-tag
      tekton.dev/task: generate-image-tag
      tekton.dev/taskRun: build-hello-pipeline-run-generate-image-tag-wqwbv
    name: build-hello-pipeline-run-generate-image-tag-wqwbv-pod-2jb69
    namespace: python-hello-build
    ownerReferences:
    - apiVersion: tekton.dev/v1beta1
      blockOwnerDeletion: true
      controller: true
      kind: TaskRun
      name: build-hello-pipeline-run-generate-image-tag-wqwbv
      uid: 98d57d47-72c2-4f3a-8871-abd2102b2eb3
    resourceVersion: "260605"
    uid: a8cad165-edb2-4774-b165-540278e8065d
  spec:
    activeDeadlineSeconds: 5400
    containers:
    - args:
      - -wait_file
      - /tekton/downward/ready
      - -wait_file_content
      - -post_file
      - /tekton/tools/0
      - -termination_path
      - /tekton/termination
      - -step_metadata_dir
      - /tekton/steps/step-create-dir-result-image-hhfts
      - -step_metadata_dir_link
      - /tekton/steps/0
      - -ssh-git=git-pull=gitlab-gitlab-shell.gitlab.svc.cluster.local
      - -results
      - image-url,commit-tag
      - -entrypoint
      - mkdir
      - --
      - -p
      - /workspace/output/result-image
      command:
      - /tekton/tools/entrypoint
      image: gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4
      imagePullPolicy: IfNotPresent
      name: step-create-dir-result-image-hhfts
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
      terminationMessagePath: /tekton/termination
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /tekton/downward
        name: tekton-internal-downward
      - mountPath: /tekton/creds
        name: tekton-creds-init-home-0
      - mountPath: /workspace
        name: tekton-internal-workspace
      - mountPath: /tekton/home
        name: tekton-internal-home
      - mountPath: /tekton/results
        name: tekton-internal-results
      - mountPath: /tekton/steps
        name: tekton-internal-steps
      - mountPath: /tekton/creds-secrets/git-pull
        name: tekton-internal-secret-volume-git-pull-mplv4
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
    - args:
      - -wait_file
      - /tekton/tools/0
      - -post_file
      - /tekton/tools/1
      - -termination_path
      - /tekton/termination
      - -step_metadata_dir
      - /tekton/steps/step-git-source-git-resource-mqq84
      - -step_metadata_dir_link
      - /tekton/steps/1
      - -ssh-git=git-pull=gitlab-gitlab-shell.gitlab.svc.cluster.local
      - -results
      - image-url,commit-tag
      - -entrypoint
      - /ko-app/git-init
      - --
      - -url
      - git@gitlab-gitlab-shell.gitlab.svc.cluster.local:root/hello-python.git
      - -path
      - /workspace/git-resource
      - -revision
      - master
      command:
      - /tekton/tools/entrypoint
      env:
      - name: TEKTON_RESOURCE_NAME
        value: git-resource
      - name: HOME
        value: /tekton/home
      image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.28.0@sha256:39b53980b255ef8af80086ac702f5b113d32f60cc4c8876b096ba37fc5912c81
      imagePullPolicy: IfNotPresent
      name: step-git-source-git-resource-mqq84
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
      terminationMessagePath: /tekton/termination
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /tekton/creds
        name: tekton-creds-init-home-1
      - mountPath: /workspace
        name: tekton-internal-workspace
      - mountPath: /tekton/home
        name: tekton-internal-home
      - mountPath: /tekton/results
        name: tekton-internal-results
      - mountPath: /tekton/steps
        name: tekton-internal-steps
      - mountPath: /tekton/creds-secrets/git-pull
        name: tekton-internal-secret-volume-git-pull-mplv4
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
      workingDir: /workspace
    - args:
      - -wait_file
      - /tekton/tools/1
      - -post_file
      - /tekton/tools/2
      - -termination_path
      - /tekton/termination
      - -step_metadata_dir
      - /tekton/steps/step-create-image-tag
      - -step_metadata_dir_link
      - /tekton/steps/2
      - -ssh-git=git-pull=gitlab-gitlab-shell.gitlab.svc.cluster.local
      - -results
      - image-url,commit-tag
      - -entrypoint
      - /tekton/scripts/script-2-dt9pq
      - --
      command:
      - /tekton/tools/entrypoint
      env:
      - name: HOME
        value: /usr/local/gituser
      image: docker.apps.192-168-2-119.nip.io/gitcommit/gitcommit
      imagePullPolicy: Always
      name: step-create-image-tag
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 0
        runAsNonRoot: true
        runAsUser: 431
      terminationMessagePath: /tekton/termination
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/scripts
        name: tekton-internal-scripts
        readOnly: true
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /tekton/creds
        name: tekton-creds-init-home-2
      - mountPath: /workspace
        name: tekton-internal-workspace
      - mountPath: /tekton/home
        name: tekton-internal-home
      - mountPath: /tekton/results
        name: tekton-internal-results
      - mountPath: /tekton/steps
        name: tekton-internal-steps
      - mountPath: /tekton/creds-secrets/git-pull
        name: tekton-internal-secret-volume-git-pull-mplv4
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
    - args:
      - -wait_file
      - /tekton/tools/2
      - -post_file
      - /tekton/tools/3
      - -termination_path
      - /tekton/termination
      - -step_metadata_dir
      - /tekton/steps/step-image-digest-exporter-84475
      - -step_metadata_dir_link
      - /tekton/steps/3
      - -ssh-git=git-pull=gitlab-gitlab-shell.gitlab.svc.cluster.local
      - -results
      - image-url,commit-tag
      - -entrypoint
      - /ko-app/imagedigestexporter
      - --
      - -images
      - '[{"name":"result-image","type":"image","url":"docker.apps.192-168-2-119.nip.io/python-hello-build/hello-world-service","digest":"","OutputImageDir":"/workspace/output/result-image"}]'
      command:
      - /tekton/tools/entrypoint
      image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.28.0@sha256:2aa8bc18e7d947c44b18be9b74241d508026c0d2b224577212cedb5a2347ad6f
      imagePullPolicy: IfNotPresent
      name: step-image-digest-exporter-84475
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
      terminationMessagePath: /tekton/termination
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /tekton/creds
        name: tekton-creds-init-home-3
      - mountPath: /workspace
        name: tekton-internal-workspace
      - mountPath: /tekton/home
        name: tekton-internal-home
      - mountPath: /tekton/results
        name: tekton-internal-results
      - mountPath: /tekton/steps
        name: tekton-internal-steps
      - mountPath: /tekton/creds-secrets/git-pull
        name: tekton-internal-secret-volume-git-pull-mplv4
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
    dnsPolicy: ClusterFirst
    enableServiceLinks: true
    initContainers:
    - command:
      - /ko-app/entrypoint
      - cp
      - /ko-app/entrypoint
      - /tekton/tools/entrypoint
      image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.28.0@sha256:61013ff4268fbf1046d623d3eab2bcb072e776202d86cb95ad7238a8c45c5420
      imagePullPolicy: IfNotPresent
      name: place-tools
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
      workingDir: /
    - args:
      - -c
      - |
        scriptfile="/tekton/scripts/script-2-dt9pq"
        touch ${scriptfile} && chmod +x ${scriptfile}
        cat > ${scriptfile} << '_EOF_'
        IyEvdXNyL2Jpbi9lbnYgYmFzaAplY2hvICJob21lIGRpciAnJEhPTUUnIgpleHBvcnQgSU1BR0VfVEFHPSQoZGF0ZSArIiVtJWQlWSVIJU0lUyIpCmVjaG8gLW4gImRvY2tlci5hcHBzLjE5Mi0xNjgtMi0xMTkubmlwLmlvL3B5dGhvbi1oZWxsby1idWlsZC9oZWxsby13b3JsZC1zZXJ2aWNlOiRJTUFHRV9UQUciID4gL3Rla3Rvbi9yZXN1bHRzL2ltYWdlLXVybAplY2hvICInJChjYXQgL3Rla3Rvbi9yZXN1bHRzL2ltYWdlLXVybCknIgoKY2QgL3dvcmtzcGFjZS9naXQtcmVzb3VyY2UKUkVTVUxUX1NIQT0iJChnaXQgcmV2LXBhcnNlIEhFQUQgfCB0ciAtZCAnXG4nKSIKZWNobyAiTGFzdCBjb21taXQgOiAkUkVTVUxUX1NIQSIKZWNobyAtbiAiJFJFU1VMVF9TSEEiID4gL3Rla3Rvbi9yZXN1bHRzL2NvbW1pdC10YWc=
        _EOF_
        /tekton/tools/entrypoint decode-script "${scriptfile}"
      command:
      - sh
      image: gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4
      imagePullPolicy: IfNotPresent
      name: place-scripts
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 1000
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /tekton/scripts
        name: tekton-internal-scripts
      - mountPath: /tekton/tools
        name: tekton-internal-tools
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-s9tk5
        readOnly: true
    nodeName: cluster01-worker
    preemptionPolicy: PreemptLowerPriority
    priority: 0
    restartPolicy: Never
    schedulerName: default-scheduler
    securityContext:
      fsGroup: 3000
      supplementalGroups:
      - 3000
    serviceAccount: tekton-build
    serviceAccountName: tekton-build
    terminationGracePeriodSeconds: 30
    tolerations:
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
      tolerationSeconds: 300
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
      tolerationSeconds: 300
    volumes:
    - emptyDir: {}
      name: tekton-internal-workspace
    - emptyDir: {}
      name: tekton-internal-home
    - emptyDir: {}
      name: tekton-internal-results
    - emptyDir: {}
      name: tekton-internal-steps
    - name: tekton-internal-secret-volume-git-pull-mplv4
      secret:
        defaultMode: 420
        secretName: git-pull
    - emptyDir: {}
      name: tekton-internal-scripts
    - emptyDir: {}
      name: tekton-internal-tools
    - downwardAPI:
        defaultMode: 420
        items:
        - fieldRef:
            apiVersion: v1
            fieldPath: metadata.annotations['tekton.dev/ready']
          path: ready
      name: tekton-internal-downward
    - emptyDir:
        medium: Memory
      name: tekton-creds-init-home-0
    - emptyDir:
        medium: Memory
      name: tekton-creds-init-home-1
    - emptyDir:
        medium: Memory
      name: tekton-creds-init-home-2
    - emptyDir:
        medium: Memory
      name: tekton-creds-init-home-3
    - name: kube-api-access-s9tk5
      projected:
        defaultMode: 420
        sources:
        - serviceAccountToken:
            expirationSeconds: 3607
            path: token
        - configMap:
            items:
            - key: ca.crt
              path: ca.crt
            name: kube-root-ca.crt
        - downwardAPI:
            items:
            - fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
              path: namespace
  status:
    conditions:
    - lastProbeTime: null
      lastTransitionTime: "2021-09-28T18:28:09Z"
      status: "True"
      type: Initialized
    - lastProbeTime: null
      lastTransitionTime: "2021-09-28T18:28:15Z"
      message: 'containers with unready status: [step-create-dir-result-image-hhfts
        step-git-source-git-resource-mqq84 step-create-image-tag step-image-digest-exporter-84475]'
      reason: ContainersNotReady
      status: "False"
      type: Ready
    - lastProbeTime: null
      lastTransitionTime: "2021-09-28T18:28:15Z"
      message: 'containers with unready status: [step-create-dir-result-image-hhfts
        step-git-source-git-resource-mqq84 step-create-image-tag step-image-digest-exporter-84475]'
      reason: ContainersNotReady
      status: "False"
      type: ContainersReady
    - lastProbeTime: null
      lastTransitionTime: "2021-09-28T18:28:04Z"
      status: "True"
      type: PodScheduled
    containerStatuses:
    - containerID: containerd://ff73411c703655f096559b857bbf9a5ac98982f9a9d6b43c5f878092bf5c9510
      image: sha256:ac2afeee8f96767b2362a686e98503c9e1d1d24375be9896a0109b80e9cab631
      imageID: gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4
      lastState: {}
      name: step-create-dir-result-image-hhfts
      ready: false
      restartCount: 0
      started: false
      state:
        terminated:
          containerID: containerd://ff73411c703655f096559b857bbf9a5ac98982f9a9d6b43c5f878092bf5c9510
          exitCode: 0
          finishedAt: "2021-09-28T18:28:14Z"
          message: '[{"key":"StartedAt","value":"2021-09-28T18:28:14.232Z","type":3}]'
          reason: Completed
          startedAt: "2021-09-28T18:28:10Z"
    - containerID: containerd://999a2c6c89d009d0f5e6a2a1bcd72c9f1bdeea1ce8d0edb4ea0ae8bcc4bd6223
      image: docker.apps.192-168-2-119.nip.io/gitcommit/gitcommit:latest
      imageID: docker.apps.192-168-2-119.nip.io/gitcommit/gitcommit@sha256:a5aab5ca70e76f5d7fb38928c6e390e74d6e3357655d00f1351db9fa0177ccbc
      lastState: {}
      name: step-create-image-tag
      ready: false
      restartCount: 0
      started: false
      state:
        terminated:
          containerID: containerd://999a2c6c89d009d0f5e6a2a1bcd72c9f1bdeea1ce8d0edb4ea0ae8bcc4bd6223
          exitCode: 1
          finishedAt: "2021-09-28T18:28:15Z"
          message: '[{"key":"StartedAt","value":"2021-09-28T18:28:15.615Z","type":3}]'
          reason: Error
          startedAt: "2021-09-28T18:28:11Z"
    - containerID: containerd://6e43dd579418cd035de663a6b5f4baf8cd1bbad462cec756f2cb6b936d8f75de
      image: sha256:1ea9b34701e2cf32347078a87152d0bd22f4fa372a5f794cfa4381e9215742c7
      imageID: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:39b53980b255ef8af80086ac702f5b113d32f60cc4c8876b096ba37fc5912c81
      lastState: {}
      name: step-git-source-git-resource-mqq84
      ready: false
      restartCount: 0
      started: false
      state:
        terminated:
          containerID: containerd://6e43dd579418cd035de663a6b5f4baf8cd1bbad462cec756f2cb6b936d8f75de
          exitCode: 1
          finishedAt: "2021-09-28T18:28:15Z"
          message: '[{"key":"StartedAt","value":"2021-09-28T18:28:14.828Z","type":3}]'
          reason: Error
          startedAt: "2021-09-28T18:28:10Z"
    - containerID: containerd://e98e00fe8270850e83b0c6714d57d0593d073ffa9c749af3a958a1dba8be78c5
      image: sha256:d5e3d8cad1922763e96315610bebaf8e7d396a1d7b9c15ca4e5519380a5201d9
      imageID: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter@sha256:2aa8bc18e7d947c44b18be9b74241d508026c0d2b224577212cedb5a2347ad6f
      lastState: {}
      name: step-image-digest-exporter-84475
      ready: false
      restartCount: 0
      started: false
      state:
        terminated:
          containerID: containerd://e98e00fe8270850e83b0c6714d57d0593d073ffa9c749af3a958a1dba8be78c5
          exitCode: 1
          finishedAt: "2021-09-28T18:28:16Z"
          message: '[{"key":"StartedAt","value":"2021-09-28T18:28:16.250Z","type":3}]'
          reason: Error
          startedAt: "2021-09-28T18:28:12Z"
    hostIP: 172.18.0.2
    initContainerStatuses:
    - containerID: containerd://96578334713f43f0dfe0b47ad1818a65c752e68401993f658c05f38f57791e2c
      image: sha256:6344f0cd702b1389db8323328b23f05c79a93ff4247ac02658614ac47c4d6180
      imageID: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint@sha256:61013ff4268fbf1046d623d3eab2bcb072e776202d86cb95ad7238a8c45c5420
      lastState: {}
      name: place-tools
      ready: true
      restartCount: 0
      state:
        terminated:
          containerID: containerd://96578334713f43f0dfe0b47ad1818a65c752e68401993f658c05f38f57791e2c
          exitCode: 0
          finishedAt: "2021-09-28T18:28:07Z"
          reason: Completed
          startedAt: "2021-09-28T18:28:06Z"
    - containerID: containerd://49a4006690f35af7d7ca41e8e0de7e7a906abbf25e45e9c2e0ec7127cfe7e045
      image: sha256:ac2afeee8f96767b2362a686e98503c9e1d1d24375be9896a0109b80e9cab631
      imageID: gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4
      lastState: {}
      name: place-scripts
      ready: true
      restartCount: 0
      state:
        terminated:
          containerID: containerd://49a4006690f35af7d7ca41e8e0de7e7a906abbf25e45e9c2e0ec7127cfe7e045
          exitCode: 0
          finishedAt: "2021-09-28T18:28:09Z"
          reason: Completed
          startedAt: "2021-09-28T18:28:09Z"
    phase: Failed
    podIP: 10.240.189.136
    podIPs:
    - ip: 10.240.189.136
    qosClass: BestEffort
    startTime: "2021-09-28T18:28:04Z"
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

[vdemeester]

@mlbiam thanks for the issue. Is there anymore logs ? The message is a warning and shouldn't prevent the rest of the step to execute. The rest of the step(s) might fail for a valid reason linked to it (most likely because the credentials are not found, …) but it could be worked-around I think (by mounting the secret instead of relying to the annotated secret).

[mlbiam]

@vdemeester You're right. The task runs but fails because it can't talk to the remote git repository. Here are the logs:

$ tkn pipelinerun logs build-hello-pipeline-run -n python-hello-build
task generate-image-tag has failed: "step-git-source-git-resource-5s5r8" exited with code 1 (image: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init@sha256:39b53980b255ef8af80086ac702f5b113d32f60cc4c8876b096ba37fc5912c81"); for logs run: kubectl -n python-hello-build logs build-hello-pipeline-run-generate-image-tag-4r659-pod-kq5dv -c step-git-source-git-resource-5s5r8

[generate-image-tag : create-dir-result-image-njhbx] 2021/09/28 18:48:27 warning: unsuccessful cred copy: ".ssh" from "/tekton/creds" to "/": unable to create destination directory: mkdir /.ssh: permission denied

[generate-image-tag : git-source-git-resource-5s5r8] {"level":"error","ts":1632854913.79133,"caller":"git/git.go:54","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force master]: exit status 128\nNo user exists for uid 1000\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:54\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:149\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:225"}
[generate-image-tag : git-source-git-resource-5s5r8] {"level":"fatal","ts":1632854913.7915208,"caller":"git-init/main.go:54","msg":"Error fetching git repository: failed to fetch [master]: exit status 128","stacktrace":"main.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:54\nruntime.main\n\truntime/proc.go:225"}

failed to get logs for task generate-image-tag : container step-git-source-git-resource-5s5r8 has failed  : [{"key":"StartedAt","value":"2021-09-28T18:48:33.686Z","type":3}]
Tasks Completed: 1 (Failed: 1, Cancelled 0), Skipped: 2

Here's the Task: https://github.com/PacktPublishing/Kubernetes---An-Enterprise-Guide-2E/blob/main/chapter14/example-apps/tekton/tekton-task1.yaml

Manually mounting the Secret was my next thought. I wasn't sure if there was another way to go. I figured this is similar to how OpenShift runs (injecting random runAsUser) so maybe there was a way around this warning i was missing.

[mlbiam]

My workaround for now was to disable gatekeeper in namespaces that run pipelines. Looking at the Pod objects being generated, it looks like they're running with suplemental group id, but no user id or group id.

I checked out the Dockerfile for the git-init and checkout images, and they add user and group 65532, but they stay as root. I tried changing my mutation to assign 65532 as the default runAsUser/runAsGroup and no longer got the unsuccessful cred copy error, but the git checkout fails:

{"level":"error","ts":1633090656.5643337,"caller":"git/git.go:54","msg":"Error running git [fetch --recurse-submodules=yes --depth=1 origin --update-head-ok --force main]: exit status 128\nWarning: Permanently added 'gitlab-gitlab-shell.gitlab.svc.cluster.local,10.100.8.4' (ECDSA) to the list of known hosts.\r\ngit@gitlab-gitlab-shell.gitlab.svc.cluster.local: Permission denied (publickey,keyboard-interactive).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n","stacktrace":"github.com/tektoncd/pipeline/pkg/git.run\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:54\ngithub.com/tektoncd/pipeline/pkg/git.Fetch\n\tgithub.com/tektoncd/pipeline/pkg/git/git.go:149\nmain.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:53\nruntime.main\n\truntime/proc.go:225"}
{"level":"fatal","ts":1633090656.5645268,"caller":"git-init/main.go:54","msg":"Error fetching git repository: failed to fetch [main]: exit status 128","stacktrace":"main.main\n\tgithub.com/tektoncd/pipeline/cmd/git-init/main.go:54\nruntime.main\n\truntime/proc.go:225"}

My guess is that because user 65532's home dir isn't /tekton/creds it isn't picking up the private key? (i think this would be a great feature and i have a dev environment so i'm happy to help make this work)

[afrittoli]

Thanks @mlbiam - thanks for the updates and offer to help! As a side note, it looks like you are using PipelineResources which we are likely to be deprecate. I didn't really dive into this, but I wonder if the fact that we do not set the HOME variable by default anymore might have an impact here @sbwsg

[mlbiam]

@afrittoli

As a side note, it looks like you are using PipelineResources which we are likely to be deprecate.

Can you point me to some background? If PipelineResources is going away, what's the right approach? embedding the config directly into the PipelineRun?

[ghost]

Here's the rationale for PipelineResources being deprecated: https://github.com/tektoncd/community/blob/main/teps/0074-deprecate-pipelineresources.md#motivation

For cloning from a git repo there's a task in the catalog, git-clone, that accepts credentials directly as a workspace. You can pass in a k8s Secret here. When running as a non-root user you will likely also need to set the userHome parameter.

[ghost]

@mlbiam I'm going to close this issue on the basis that pipelineresources are likely to be deprecated. Recommend using the git-clone task from the catalog instead. Please feel free to reopen this issue if you'd like more help around this. Cheers!

/close

[tekton-robot]

@sbwsg: Closing this issue.

In response to [this](https://github.com/tektoncd/pipeline/issues/4264#issuecomment-956518183): >@mlbiam I'm going to close this issue on the basis that pipelineresources are likely to be deprecated. Recommend using the `git-clone` task from the catalog instead. Please feel free to reopen this issue if you'd like more help around this. Cheers! > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.