Pipeline Service Account Missing from openshift-pipelines namespace
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4
- Red Hat OpenShift Dedicated (OSD)
- 4
Issue
- Pod creation is failing after updating the openshift-pipelines-operator-rh.v1.7.0 in OSD/ROSA and was not able to find a service account in the openshift-pipelines namespace.
Resolution
Following YAML used to create 'pipeline' service account with required permission and role in the openshift-pipelines namespace.
apiVersion: v1
kind: ServiceAccount
metadata:
name: pipeline
namespace: openshift-pipelines
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pipelines-as-code-cleanup-job
namespace: openshift-pipelines
rules:
- apiGroups: ["tekton.dev"]
resources: ["taskruns"]
verbs: ["get", "delete", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pipelines-as-code-cleanup-job
namespace: openshift-pipelines
subjects:
- kind: ServiceAccount
name: pipeline
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pipelines-as-code-cleanup-job
Root Cause
The Pipeline Service Account is not present in the openshift-pipelines namespace. This Service Account is required to run the operator controlled CRON job task.
Diagnostic Steps
$ oc get sa -n openshift-pipelines
$ oc get events --namespace openshift-pipelines
LAST SEEN TYPE REASON OBJECT MESSAGE
148m Warning FailedCreate job/pipelines-as-code-pr-cleanup-27547980 Error creating: pods "pipelines-as-code-pr-cleanup-27547980--1-" is forbidden: error looking up service account openshift-pipelines/pipeline: serviceaccount "pipeline" not found
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments