khrm
commented
1 year ago Can you try running using operator? Select platform as openshift.
Open dtrowbri7669 opened 1 year ago
khrm
commented
1 year ago Can you try running using operator? Select platform as openshift.
dtrowbri7669
commented
1 year ago I installed the Tekton pipelines in OKD follow the OpenShift instructions on https://tekton.dev/docs/triggers/install/ and https://tekton.dev/docs/pipelines/install/. Is there a different way to install these? It is not listed in the OKD Operator Hub.
khrm
commented
1 year ago @dtrowbri7669 Can you try using tektoncd#operator?
souovan
commented
3 months ago @dtrowbri7669 Can you try using tektoncd#operator?
i'm stuck in the same problem, tried using the operator as you mentioned but didn't work, any hint ?
alptekinynk
commented
1 month ago Hi, could you please check whether the pods of the following deployments under the tekton-pipelines namespace have been created?
If pods are not created, you need to authorize the relevant serviceAccounts. You can use the following commands to find service accounts for relevant deployments.
oc get deployment tekton-triggers-controller -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-core-interceptors -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-webhook -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
After learning the service account names, execute the following commands for each serviceAccount.
oc adm policy add-scc-to-user anyuid -z <service-account-name> -n tekton-pipelines
oc adm policy add-scc-to-user privileged -z <service-account-name> -n tekton-pipelines
Then rollout the deployments
oc rollout restart deployment tekton-triggers-controller -n tekton-pipelines
oc rollout restart deployment tekton-triggers-core-interceptors -n tekton-pipelines
oc rollout restart deployment tekton-triggers-webhook -n tekton-pipelines
Now, when you create the event listener, you can see that the service and pod are created automatically.
Expected Behavior
The event listener deployment should create a pod to listen for webhooks.
Actual Behavior
The deployment fails to create a pod and has this error in the deployment status. pods "el-listener-54cb5fd5c5-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65532: must be in the ranges: [1000720000, 1000729999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
I have set the event listener to run under the service account "pipeline" and ran the following commands to set permissions on the pipeline sa.
I have even tried adding the scc 'privileged' to the pipeline user and still got the same issue. I have tried removing the 'runAsUser: 65532' from the event listener deployment, but that configuration line was regenerated after saving the configuration.
I had a similar issue with the tekton-pipelines and tekton-pipelines-trigger installs and they only started running after I removed the 'runAsUser: 65532' line from the code.
Additional Info