fix: add PodAdmissionFailed reason to avoid confusing failed status

[kinsolee]

Closes #5693
Signed-off-by: Jingzhao Li jzli@alauda.io

Changes

Currently CouldntGetTask is used as default case of describing reason of failed status which confuses users when unknown error occurs but the reason has nothing to do with getting task.
This PR fix this bug by replacing CouldntGetTask with PodCreationFailed as default error reason.
Reason PodAdmissionFailed is added to describing errors cause by validating pod addmission, including K8S PodSecurity and Openshift SCC.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs included if any changes are user facing
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: kinsolee / name: Kinso (0d90cf5)

[tekton-robot]

Hi @kinsolee. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kinsolee]

/kind bug

[JeromeJu]

/ok-to-test

[JeromeJu]

Thanks for the PR, wondering if the messages would necessarily need to be the release notes since it is not indicating to be user-facing.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/taskrun/taskrun.go	84.8%	84.9%	0.1

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vdemeester]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/taskrun/taskrun.go	84.9%	85.0%	0.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/taskrun/taskrun.go	84.9%	85.0%	0.1

[kinsolee]

/release-note-none

[tekton-robot]

@kinsolee: you can only set the release note label to release-note-none if the release-note block in the PR body text is empty or "none".

In response to this:

/release-note-none

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/taskrun/taskrun.go	84.9%	85.0%	0.1

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/reconciler/taskrun/taskrun.go	84.9%	85.0%	0.1

[kinsolee]

@bobcatfish @dibyom Can anyone give a lgtm so that I can merge this PR?

[chitrangpatel]

Using strings.Contains feels a little brittle since if the string content changes then it could break this logic. Is there a way to compare it better using errors.Is?

[kinsolee]

Actually, inside k8serrors.IsForbidden(err), errors.As has been used to convert err to StatusError.

In this case, StatusError.StatusReason is Forbidden, StatusError.Code is 403 and Status.Message shows the detail of error. The StatusError is from webhook as REST API server response which is the source of error.

Using strings.Contains seems to be a common way to identify error. As you can see, other funcs in this file such as isExceededResourceQuotaError, isTaskRunValidationFailed are also using strings.Contains.

LBNL, we can't find another field from StatusError to identify such similar error cases.

[chitrangpatel]

I see.

[chitrangpatel]

/lgtm