can not import some Tekton resources using the Tekton Dashboard

[chq3272991]

Expected behavior

Hello, I try to learn this, Import some Tekton resources using the Tekton Dashboard. There are two tasks and one pipeline.

Actual behaviour

But it is not work, and this is the message about import resources:

completionTime: '2023-04-03T08:18:20Z'
conditions:
  - lastTransitionTime: '2023-04-03T08:18:20Z'
    message: 'failed to create task run pod "import-resources-1680509900181-fetch-repo": pods "import-resources-1680509900181-fetch-repo-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "prepare", "place-scripts", "step-clone" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "prepare", "place-scripts", "step-clone" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "prepare", "place-scripts" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "prepare", "place-scripts", "step-clone" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"). Maybe invalid TaskSpec'
    reason: CouldntGetTask
    status: 'False'
    type: Succeeded
podName: ''
startTime: '2023-04-03T08:18:20Z'
taskSpec:
  params:
    - description: The URL of the git repository from which resources are to be imported
      name: repositoryURL
      type: string
....

this ui like this ,

Steps to reproduce the bug

1. Install Tekton Pipelines

kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

Install Tekton Triggers

kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
kubectl apply --filename \
https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml

Installing Tekton Dashboard on Kubernetes

kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/release-full.yaml

2. Import some Tekton resources using the Tekton Dashboard
   

Additional info

• Kubernetes version: v1.24.2

• Docker Desktop: 4.11.1 (84025)

• Tekton versions:

  Output of tkn version or

Pipeline version: v0.46.0
triggers.tekton.dev/release: v0.23.1
Dashboard version: v0.34.0

[chq3272991]

I set the target namespace to default，but failed

[AlanGreene]

Hi @chq3272991, thanks for reporting this. I'll update the tutorial with additional instructions and possibly also update the Dashboard to require fewer permissions to run the import PipelineRun.

In the meantime you can apply the following resources on the cluster and then you will be able to use the default namespace + default service account in the advanced configuration section.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-dashboard-tutorial
rules:
  - apiGroups:
      - tekton.dev
    resources:
      - tasks
      - taskruns
      - pipelines
      - pipelineruns
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-dashboard-tutorial
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tekton-dashboard-tutorial
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

[chq3272991]

@AlanGreene Thank you for your answer. According to your suggestion, it can already work normally