Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-7852

tekton-chains-controller unable to create statefulset pods after enabling statefulset-ordinals for chains in tektonconfig

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this update, pods in the tekton-chains-controller StatefulSet failed to start on OpenShift due to Security Context Constraints (SCC) validation errors. Specifically, the pod's runAsUser: 65532 was not within any permitted UID range (e.g., [1000770000, 1000779999]), and no applicable SCCs allowed its execution. With this update, the Operator now applies the appropriate transformation function to StatefulSets, ensuring that the generated pod specs comply with OpenShift's SCC requirements. This fix restores compatibility and allows the tekton-chains-controller pods to start successfully.
      Show
      Before this update, pods in the tekton-chains-controller StatefulSet failed to start on OpenShift due to Security Context Constraints (SCC) validation errors. Specifically, the pod's runAsUser: 65532 was not within any permitted UID range (e.g., [1000770000, 1000779999]), and no applicable SCCs allowed its execution. With this update, the Operator now applies the appropriate transformation function to StatefulSets, ensuring that the generated pod specs comply with OpenShift's SCC requirements. This fix restores compatibility and allows the tekton-chains-controller pods to start successfully.
    • Release Note Not Required
    • 3
    • Pipelines Sprint pioneers 31

      Description of problem:

      tekton-chains-controller unable to create statefulset pods after enabling statefulset-ordinals for chains in tektonconfig

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Deploy 1.19 operator on OCP 4.18
      2. Enable statefulset-ordinals for chains in tektonconfig using configuration as below
      3. Once the statefulset is enabled for chains controller, wait for the chains-controller statefulset pods to be created
      chain:
    artifacts.oci.format: simplesigning
    artifacts.oci.storage: oci
    artifacts.pipelinerun.format: in-toto
    artifacts.pipelinerun.storage: oci
    artifacts.taskrun.format: in-toto
    artifacts.taskrun.storage: oci
    disabled: false
    options: {}
    performance:
      buckets: 2
      disable-ha: false
      replicas: 2
      statefulset-ordinals: true

                 

      oc get sts -n openshift-pipelines
NAME                                READY   AGE
tekton-chains-controller            0/2     4m47s
tekton-pipelines-controller         2/2     26h
tekton-pipelines-remote-resolvers   2/2     26h
tekton-results-postgres             1/1     26h
tekton-results-watcher              2/2     124m

       

      Actual results:

      Pods are failing to create because of forbidden error

       

      Events:
  Type     Reason        Age                From                    Message
  ----     ------        ----               ----                    -------
  Warning  FailedCreate  3s (x14 over 44s)  statefulset-controller  create Pod tekton-chains-controller-0 in StatefulSet tekton-chains-controller failed error: pods "tekton-chains-controller-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65532: must be in the ranges: [1000770000, 1000779999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "logging-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

       

       

      Expected results:

      chains-controller pods should be created after enabling statefulset ordials for chains

      Reproducibility (Always/Intermittent/Only Once):

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

        1. image-2025-07-08-10-53-17-059.png
          image-2025-07-08-10-53-17-059.png
          33 kB

              jkhelil abdeljawed khelil
              rh-ee-smanthin Sai Raju Manthina
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: