Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Event listener failing to run in OKD #1626

Open
dtrowbri7669 opened this issue Aug 9, 2023 · 5 comments
Open

Event listener failing to run in OKD #1626

dtrowbri7669 opened this issue Aug 9, 2023 · 5 comments
Labels
kind/question Issues or PRs that are questions around the project or a particular feature

Comments

@dtrowbri7669
Copy link

Expected Behavior

The event listener deployment should create a pod to listen for webhooks.

Actual Behavior

The deployment fails to create a pod and has this error in the deployment status.
pods "el-listener-54cb5fd5c5-" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not
usable by user or serviceaccount, provider restricted-v2:
.containers[0].runAsUser: Invalid value: 65532: must be in the ranges:
[1000720000, 1000729999], provider "restricted": Forbidden: not usable
by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable
by user or serviceaccount, provider "nonroot": Forbidden: not usable by
user or serviceaccount, provider "hostmount-anyuid": Forbidden: not
usable by user or serviceaccount, provider
"machine-api-termination-handler": Forbidden: not usable by user or
serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user
or serviceaccount, provider "hostnetwork": Forbidden: not usable by user
or serviceaccount, provider "hostaccess": Forbidden: not usable by user
or serviceaccount, provider "node-exporter": Forbidden: not usable by
user or serviceaccount, provider "privileged": Forbidden: not usable by
user or serviceaccount]

I have set the event listener to run under the service account "pipeline" and ran the following commands to set permissions on the pipeline sa.

  • oc adm policy add-scc-to-user anyuid -z pipeline
  • oc adm policy add-role-to-user tekton-triggers-eventlistener-roles -z pipeline
  • oc adm policy add-cluster-role-to-user tekton-triggers-eventlistener-clusterroles -z pipeline

I have even tried adding the scc 'privileged' to the pipeline user and still got the same issue.
I have tried removing the 'runAsUser: 65532' from the event listener deployment, but that configuration line was regenerated after saving the configuration.

I had a similar issue with the tekton-pipelines and tekton-pipelines-trigger installs and they only started running after I removed the 'runAsUser: 65532' line from the code.

Additional Info

  • Kubernetes version: v1.26.4-2868+a7ee68b55354d8-dirty
  • Tekton Pipeline version: pipeline.tekton.dev/release: v0.49.0
  • OKD version: 4.13.0-0.okd-2023-06-24-145750
@dtrowbri7669 dtrowbri7669 added the kind/bug Categorizes issue or PR as related to a bug. label Aug 9, 2023
@khrm
Copy link
Contributor

khrm commented Aug 10, 2023

Can you try running using operator? Select platform as openshift.

@dtrowbri7669
Copy link
Author

I installed the Tekton pipelines in OKD follow the OpenShift instructions on https://tekton.dev/docs/triggers/install/ and https://tekton.dev/docs/pipelines/install/. Is there a different way to install these? It is not listed in the OKD Operator Hub.

@khrm
Copy link
Contributor

khrm commented Aug 16, 2023
edited
Loading

@dtrowbri7669 Can you try using tektoncd#operator?

@dibyom dibyom added kind/question Issues or PRs that are questions around the project or a particular feature and removed kind/bug Categorizes issue or PR as related to a bug. labels Sep 6, 2023
@souovan
Copy link

souovan commented Jul 4, 2024

@dtrowbri7669 Can you try using tektoncd#operator?

i'm stuck in the same problem, tried using the operator as you mentioned but didn't work, any hint ?

@alptekinynk
Copy link

Hi, could you please check whether the pods of the following deployments under the tekton-pipelines namespace have been created?

  • tekton-triggers-controller
  • tekton-triggers-core-interceptors
  • tekton-triggers-webhook

If pods are not created, you need to authorize the relevant serviceAccounts. You can use the following commands to find service accounts for relevant deployments.
oc get deployment tekton-triggers-controller -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-core-interceptors -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'
oc get deployment tekton-triggers-webhook -n tekton-pipelines -o jsonpath='{.spec.template.spec.serviceAccountName}'

After learning the service account names, execute the following commands for each serviceAccount.
oc adm policy add-scc-to-user anyuid -z <service-account-name> -n tekton-pipelines
oc adm policy add-scc-to-user privileged -z <service-account-name> -n tekton-pipelines

Then rollout the deployments
oc rollout restart deployment tekton-triggers-controller -n tekton-pipelines
oc rollout restart deployment tekton-triggers-core-interceptors -n tekton-pipelines
oc rollout restart deployment tekton-triggers-webhook -n tekton-pipelines

Now, when you create the event listener, you can see that the service and pod are created automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question Issues or PRs that are questions around the project or a particular feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@khrm @dibyom @dtrowbri7669 @souovan @alptekinynk