The OpenShift Pipelines TektonConfig targetNamespace can cause other workloads to fail

Solution Verified - Updated -

Issue

  • Changing the targetNamespace in the TektonConfig from the default openshift-pipelines can cause other workloads to break if you use a shared namespace
  • The OpenShift Pipelines targetNamespace applies some Tekton specific annotations to the targetNamespace including an enforcing Pod Security Admission annotation security.kubernetes.io/enforce: restricted
  • Any pod that requires higher than the restricted SCC will fail to start with a PodSecurity violation
message: 'pods "advanced-pod-sww2z" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false
(container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "advanced", "kube-rbac-proxy" must set
securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "advanced", "kube-rbac-proxy" must set securityContext.seccompProfile.type to
"RuntimeDefault" or "Localhost")'

Environment

  • Red Hat OpenShift Container Platform 4.x
  • Red Hat OpenShift Pipelines Operator 1.9.1 and below

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content