Closed andrejmarinic closed 9 months ago
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
with a justification.
Mark the issue as fresh with /remove-lifecycle rotten
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/close
Send feedback to tektoncd/plumbing.
@tekton-robot: Closing this issue.
It seems the OpenShift installation instructions don't work.
I can see the deployments created after attempting
oc apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.notags.yaml
However the pods are not starting with the error:
pods "tekton-pipelines-controller-5bd45d454d-tdg29" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/tekton-pipelines-controller: Forbidden: seccomp may not be set provider "pipelines-scc": Forbidden: not usable by user or serviceaccount provider "db2u-c-mas-inst1-masdev-manage-scc": Forbidden: not usable by user or serviceaccount provider "db2u-c-mas-inst2-mastest-manage-scc": Forbidden: not usable by user or serviceaccount spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must be in the ranges: [1000880000, 1000889999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/tekton-pipelines-controller: Forbidden: seccomp may not be set provider "nonroot": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]
Similarly for the webhook pod:
pods "tekton-pipelines-webhook-58689c7bff-ldhdn" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/webhook: Forbidden: seccomp may not be set provider "pipelines-scc": Forbidden: not usable by user or serviceaccount provider "db2u-c-mas-inst1-masdev-manage-scc": Forbidden: not usable by user or serviceaccount provider "db2u-c-mas-inst2-mastest-manage-scc": Forbidden: not usable by user or serviceaccount spec.containers[0].securityContext.runAsUser: Invalid value: 65532: must be in the ranges: [1000880000, 1000889999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/webhook: Forbidden: seccomp may not be set provider "nonroot": Forbidden: not usable by user or serviceaccount provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount provider "hostnetwork": Forbidden: not usable by user or serviceaccount provider "hostaccess": Forbidden: not usable by user or serviceaccount provider "node-exporter": Forbidden: not usable by user or serviceaccount provider "privileged": Forbidden: not usable by user or serviceaccount]
I am no OpenShift guru, but I presume runAsUser doesn't work.