tektoncd
Event listener failing to run in OKD
Expected Behavior
The event listener deployment should create a pod to listen for webhooks.
Actual Behavior
The deployment fails to create a pod and has this error in the deployment status. pods "el-listener-54cb5fd5c5-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65532: must be in the ranges: [1000720000, 1000729999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
I have set the event listener to run under the service account "pipeline" and ran the following commands to set permissions on the pipeline sa.
- oc adm policy add-scc-to-user anyuid -z pipeline
- oc adm policy add-role-to-user tekton-triggers-eventlistener-roles -z pipeline
- oc adm policy add-cluster-role-to-user tekton-triggers-eventlistener-clusterroles -z pipeline
I have even tried adding the scc 'privileged' to the pipeline user and still got the same issue. I have tried removing the 'runAsUser: 65532' from the event listener deployment, but that configuration line was regenerated after saving the configuration.
I had a similar issue with the tekton-pipelines and tekton-pipelines-trigger installs and they only started running after I removed the 'runAsUser: 65532' line from the code.
Additional Info
- Kubernetes version: v1.26.4-2868+a7ee68b55354d8-dirty
- Tekton Pipeline version: pipeline.tekton.dev/release: v0.49.0
- OKD version: 4.13.0-0.okd-2023-06-24-145750
I installed the Tekton pipelines in OKD follow the OpenShift instructions on https://tekton.dev/docs/triggers/install/ and https://tekton.dev/docs/pipelines/install/. Is there a different way to install these? It is not listed in the OKD Operator Hub.
@dtrowbri7669 Can you try using tektoncd#operator?
i'm stuck in the same problem, tried using the operator as you mentioned but didn't work, any hint ?
Hi, could you please check whether the pods of the following deployments under the tekton-pipelines namespace have been created?
- tekton-triggers-controller
- tekton-triggers-core-interceptors
- tekton-triggers-webhook
If pods are not created, you need to authorize the relevant serviceAccounts. You can use the following commands to find service accounts for relevant deployments.
oc get deployment tekton-triggers-controller -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-core-interceptors -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-webhook -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
After learning the service account names, execute the following commands for each serviceAccount.
oc adm policy add-scc-to-user anyuid -z <service-account-name> -n tekton-pipelines
oc adm policy add-scc-to-user privileged -z <service-account-name> -n tekton-pipelines
Then rollout the deployments
oc rollout restart deployment tekton-triggers-controller -n tekton-pipelines
oc rollout restart deployment tekton-triggers-core-interceptors -n tekton-pipelines
oc rollout restart deployment tekton-triggers-webhook -n tekton-pipelines
Now, when you create the event listener, you can see that the service and pod are created automatically.
