Pipeline tasks failing after upgrading Openshift Pipelines operator from 1.8 to 1.9
Opened this issue · 1 comments
daisleyj commented
Expected Behavior
Pipeline tasks run successfully
Actual Behavior
Pipeline tasks fail almost instantly with the message:
failed to create task run pod "xxxxxx-pipelinerun-vtrhv-fetch-source": pods "xxxxxx-pipelinerun-vtrhv-fetch-source-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts", "step-clone" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prepare", "place-scripts", "step-clone" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "prepare", "place-scripts", "step-clone" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"). Maybe missing or invalid Task openshift-pipelines/git-clone
This seems to be happening in all pipeline runs and tasks which were working without issue
Steps to Reproduce the Problem
- On an openshift 4.12 cluster, install the Openshift-pipelines v1.8 operator
- Create a pipeline with a task as per the attached task.yaml file
task.yaml.zip - Run the pipeline with the defined parameters, it should run successfully
- Upgrade the Openshift-pipelines operator to version 1.9
Additional Info
-
Kubernetes version:
Output of
kubectl version
:
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"17b7accf8fd25125ce015cf4bea7d3cd3f336317", GitTreeState:"clean", BuildDate:"2023-08-23T08:05:56Z", GoVersion:"go1.19.10 X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.16+bd92d70", GitCommit:"f5b7c3e8faedd51935d77828a5fc72c7540236f4", GitTreeState:"clean", BuildDate:"2024-04-04T12:54:26Z", GoVersion:"go1.19.13 X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}
-
Tekton Pipeline version:
v0.41.3
Output of
tkn version
orkubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'
piyush-garg commented
hey @daisleyj
First thing is these both the versions are out of support. Also are you setting allowPriviledgeEscalation
in task steps? Also did the upgrade happen completely?