Event listener failing to run in OKD

[dtrowbri7669]

Expected Behavior

The event listener deployment should create a pod to listen for webhooks.

Actual Behavior

The deployment fails to create a pod and has this error in the deployment status.
pods "el-listener-54cb5fd5c5-" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not
usable by user or serviceaccount, provider restricted-v2:
.containers[0].runAsUser: Invalid value: 65532: must be in the ranges:
[1000720000, 1000729999], provider "restricted": Forbidden: not usable
by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable
by user or serviceaccount, provider "nonroot": Forbidden: not usable by
user or serviceaccount, provider "hostmount-anyuid": Forbidden: not
usable by user or serviceaccount, provider
"machine-api-termination-handler": Forbidden: not usable by user or
serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user
or serviceaccount, provider "hostnetwork": Forbidden: not usable by user
or serviceaccount, provider "hostaccess": Forbidden: not usable by user
or serviceaccount, provider "node-exporter": Forbidden: not usable by
user or serviceaccount, provider "privileged": Forbidden: not usable by
user or serviceaccount]

I have set the event listener to run under the service account "pipeline" and ran the following commands to set permissions on the pipeline sa.

• oc adm policy add-scc-to-user anyuid -z pipeline
• oc adm policy add-role-to-user tekton-triggers-eventlistener-roles -z pipeline
• oc adm policy add-cluster-role-to-user tekton-triggers-eventlistener-clusterroles -z pipeline

I have even tried adding the scc 'privileged' to the pipeline user and still got the same issue.
I have tried removing the 'runAsUser: 65532' from the event listener deployment, but that configuration line was regenerated after saving the configuration.

I had a similar issue with the tekton-pipelines and tekton-pipelines-trigger installs and they only started running after I removed the 'runAsUser: 65532' line from the code.

Additional Info

• Kubernetes version: v1.26.4-2868+a7ee68b55354d8-dirty
• Tekton Pipeline version: pipeline.tekton.dev/release: v0.49.0
• OKD version: 4.13.0-0.okd-2023-06-24-145750

[khrm]

Can you try running using operator? Select platform as openshift.

[dtrowbri7669]

I installed the Tekton pipelines in OKD follow the OpenShift instructions on https://tekton.dev/docs/triggers/install/ and https://tekton.dev/docs/pipelines/install/. Is there a different way to install these? It is not listed in the OKD Operator Hub.

[khrm]

@dtrowbri7669 Can you try using tektoncd#operator?