Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2212

Tekton pipelines we are getting permission denied after cluster upgrade

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • Pipelines 1.7, Pipelines 1.6.2
    • Tekton Catalog
    • None
    • 2
    • False
    • None
    • False

      Hi, Team.

      I have a case where the customer is complaining that, after upgrade from 4.8 to 4.9, they are receiving permission denied:

      The cluster has been updated to OCP version 4.9 from 4.8. After the cluster upgrade while running tekton pipelines we are getting permission denied. service account pipelines are used to run the pipelines by default and it assumes pipeline-SCC. We would like to know what changed in version 4.9 as we are not seeing any errors in 4.8 clusters.

      Some more information provided by customer:

      As he mentioned the issue we are facing in 4.9 is that we are noticing that the OpenShift Pipelines are not being admitted by the correct SCC [1]. From the public documentation it states that the Openshift Pipelines should be running as the pipelines-scc [2]. From my investigation and my knowledge of how we use the pipelines, we require "CSI" to be added to the list of allowed volumes to the pipelines-scc. Of course in 4.9 the operator seems to be reconciling the pipeline-scc and remove the addition of the field causing us unable to submit pipelines. 
      What we are trying to understand is what changed in the cluster as before 4.9 pods were admitted with the restricted-with-csi scc or pipelines-scc when it did not need CSI volumes and seemed to be working okay (note this one has the correct volumes we need but has an incorrect FSGroup). 
      
      At the end of the day, the ask is it possible for you all to add CSI to the pipeline-scc or provide us with a way to be able to ensure that the tekton pipelines run as a specific scc?
      
      [1] https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html
      [2] https://docs.openshift.com/container-platform/4.8/cicd/pipelines/using-pods-in-a-privileged-security-context.html

       

              Unassigned Unassigned
              rhn-support-faldana Fabio Aldana
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: