1

I'm just starting to learn Tekton. I have a Tekton pipeline with the following, taken from this article:

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: clone-read
spec:
  description: | 
    This pipeline clones a git repo, then echoes the README file to the stout.
  params:
 - name: repo-url
    type: string
    description: The git repo URL to clone from.
  workspaces:
 - name: shared-data
    description: | 
      This workspace contains the cloned repo files, so they can be read by the
      next task.
 - name: git-credentials
    description: My ssh credentials
  tasks:
 - name: fetch-source
    taskRef:
      kind: ClusterTask
      name: git-clone
    workspaces:
    - name: output
      workspace: shared-data
    - name: ssh-directory
      workspace: git-credentials
    params:
      - name: url
        value: $(params.repo-url)
      - name: revision
        value: branch-name
      - name: submodules
        value: 'true'
      - name: depth
        value: '1'
      - name: sslVerify
        value: 'true'
      - name: sparseCheckoutDirectories
        value: /path/to/directory/
      - name: deleteExisting
        value: 'true'
      - name: verbose
        value: 'true'
      - name: gitInitImage
        value: >-
          registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:<hash>
      - name: userHome
        value: /tekton/home
 - name: show-readme
    runAfter: ["fetch-source"]
    taskRef:
      name: show-readme
    workspaces:
    - name: source
      workspace: shared-data

When I run it, in the events tab it gets to these 2 events and just keeps posting them over and over. By the time I stopped it, they had been posted 119 times in 30 minutes:

Error: container has runAsNonRoot and image will run as root (pod: "clone-read-2ol4nq-fetch-source-7xfk6-pod-7w7jx_()", container: place-tools)

Container image "registry.redhat.io/openshift-pipelines/pipelines-entrypoint-rhel8@sha256:" already present on machine

How would I fix them?

jerdub1993
  • 355
  • 1
  • 8
  • any reason why you override the image for`git-init`via the parameter`gitInitImage`? – titou10 Apr 08 '23 at 15:09
  • @titou10 not particularly, it wasn't intentional. When I ran the code from the article it wasn't working so I made the task manually via GUI and grabbed the YAML output so that's where the `fetch-source` task came from, including that `gitInitImage`. What would be the right way to do it? – jerdub1993 Apr 08 '23 at 19:39

1 Answers1

0

For the record, Tekton in OpenShift ships with several images like those, that DO REQURE running as privileged. And the way OpenShift allows for this is that you should have an SCC (pipelines-scc), a ClusterRole (pipelines-scc-clusterrole), and, in each namespace: a ServiceAccount (pipeline) and RoleBinding (pipelines-scc-rolebinding).

That "pipeline" ServiceAccount is granted usage of tekton's SCC, such as all containers related to "pipeline" may run as root.

And yes, that OpenShift Pipelines operator shamelessly ships with containers such as their git-clone, that would run as root ... Unless writing your own PipelineRuns forcing your own securityContext on tasks containers.

Back to your error: I suspect you're not using the "pipeline" ServiceAccount. Nor forcing any securityContext in your PipelineRun definition. Please share the PipelineRun object, or make sure not to set a serviceAccount in there.

SYN
  • 4,476
  • 1
  • 20
  • 22