Skip to content

Commit

Permalink
fixes RBAC permissions for task and pipeline runs for openshift
Browse files Browse the repository at this point in the history 
When `taskruns` or  `pipelineruns` instance is created, build pod creation
fails with following error `tekton-pipelines-controller` service account.

```
'pods "hello-task-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on: no RBAC
policy matched, <nil>'
```

This patch fixes the required permission for `tekton-pipelines-admin` role,
so controller could set required metadata on build pod.

Fixes
 - knative/build#523
  • Loading branch information
@hrishin @knative-prow-robot
hrishin authored and knative-prow-robot committed Mar 6, 2019
1 parent eee89b0 commit 1f42004
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions config/200-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ rules:
- apiGroups: ["tekton.dev"]
resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["taskruns/finalizers", "pipelineruns/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
Expand Down

0 comments on commit 1f42004

Please sign in to comment.