Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-6465

Tekton Pipeline Fails with SCC Validation Error after Applying Custom RoleBinding and SCC Configuration on OpenShift 4.15

XMLWordPrintable

    • True
    • None
    • False

      Description of problem:

      Cu facing an issue with Tekton pipelines where they are trying to restrict the access privileges granted to the pipeline service account. They have set createRbacResource: false and attempted to create a custom RoleBinding and SecurityContextConstraints (SCC). However, when running Tekton pipelines and receive the following error:

      pods "image-build-using-hub-resolver-5btkt5-build-image-pod" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "cert-manager-csi-driver-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000890000, 1000899999], provider restricted-v2: .containers[0].capabilities.add: Invalid value: "SETFCAP": capability may not be added, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "container-build": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider nonroot: .containers[0].runAsUser: Invalid value: 0: running with the root UID is forbidden, provider nonroot: .containers[0].capabilities.add: Invalid value: "SETFCAP": capability may not be added...

      Cu followed the Tekton team's guidance, but the issue persists. The root of the problem seems to be with SCC validation in OpenShift 4.15, especially around the restricted SCC policies.

      Workaround
      Currently, no viable workaround is available. The only known option is to adjust SCC policies manually, but this has not fully resolved the issue. They need further guidance from Tekton engineering on how to configure the SCC and RoleBinding properly.

      Prerequisites (if any, like setup, operators/versions):

      OpenShift version: 4.15
      Tekton Pipelines installed with custom RoleBinding and SCC configuration
      createRbacResource: false set in Tekton configuration to avoid automatic role creation

      Steps to Reproduce

       # <Install Tekton Pipelines on OpenShift 4.14.>

      1. <Set createRbacResource: false in Tekton configuration to prevent automatic RBAC role creation.>
      2. <Apply a custom RoleBinding and SCC (pipelines-scc) to the pipeline service account.>
      3. <Run a Tekton pipeline with a task that requires elevated permissions (e.g., buildah task).>

       

      Actual results:

      The pipeline fails with an SCC validation error, indicating the service account is unable to validate against any security context constraints. Key issues include restricted permissions for runAsUser and capabilities such as SETFCAP.

      Expected results:

      The Tekton pipeline should execute successfully with the custom RoleBinding and SCC, without requiring the pipeline service account to have elevated cluster-wide permissions.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

      A fix or workaround that allows the Tekton pipeline to run successfully with custom RoleBinding and SCC without giving overly broad permissions to the pipeline service account.

       

      Definition of Done:

      Build Details:

      OpenShift version: 4.15
      Tekton pipeline 1.15.1

      Additional info (Such as Logs, Screenshots, etc):

      Logs from the pipeline execution showing the SCC validation error.
      YAML configuration for the custom RoleBinding and SCC.
       

       *

              Unassigned Unassigned
              rhn-support-vyoganan Vivek Yoganand A
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: