docs(install): document that default namespace is unsupported for pipelines on OpenShift (#3427)#3440
Conversation
…elines on OpenShift (tektoncd#3427) OpenShift permanently disables PSA label synchronization on the default namespace; the operator-installed pipeline ServiceAccount and RBAC still get created there, but PipelineRuns fail with permissionDenied because PSA enforces the restricted profile and the SCC-to-PSA sync never runs. User-created namespaces are not affected (cluster policy controller syncs SCC privileges into PSA labels there). Add a platform-notes section to docs/install.md spelling this out so installers don't reach for default and then hit cryptic permission failures. Issue tektoncd#3427 carries the full incident detail; the OpenShift docs already say 'Do not run workloads in or share access to default projects'. Signed-off-by: Matt Van Horn <mvanhorn@gmail.com>
tekton-robot
added
the
do-not-merge/release-note-label-needed
|
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
added
the
size/S
|
/ok-to-test |
|
/release-note-none |
tekton-robot
added
release-note-none
mathur07
left a comment
mathur07
left a comment
There was a problem hiding this comment.
Minor concern with placement - the new section appears at the very end of the install doc, after custom registry configuration. Users might install, try to run pipelines by default, and only discover this limitation after reading the whole doc. Worth considering moving it higher, maybe right after the basic installation steps, so it's visible before users start experimenting.
Not a blocker, just means some folks might miss it until they hit the error.
|
Nevermind the doc seems to be not that big either. :) |
|
|
||
| On OpenShift, the `default` namespace is classified as a "highly privileged" system namespace. Pod Security Admission (PSA) label synchronization is permanently disabled there by the platform, so even though the operator correctly creates the `pipeline` ServiceAccount and RBAC bindings in `default`, PipelineRuns submitted to that namespace fail with `permissionDenied` errors: PSA enforces the `restricted` profile and the SCC-to-PSA label sync never runs. | ||
|
|
||
| User-created namespaces are not affected because the Cluster Policy Controller automatically syncs SCC privileges into PSA labels. The OpenShift documentation has the same guidance ([Do not run workloads in or share access to default projects](https://docs.openshift.com/container-platform/latest/welcome/index.html#about-namespaces)). |
There was a problem hiding this comment.
The hyperlink to docs is not redirecting the namespace page. Please check or add link to the blog - https://www.redhat.com/en/blog/openshift-runtime-security-best-practices
|
@mvanhorn Thank you for the PR. Minor NIT to verify the doc link. |
4 participants
Closes #3427.
Adds a "Platform notes" section to
docs/install.mdexplaining that thedefaultnamespace on OpenShift is unsupported for running pipelines, and pointing installers to dedicated namespaces. The operator silently creates thepipelineServiceAccount and RBAC indefault, but PipelineRuns then fail withpermissionDeniedbecause OpenShift permanently disables PSA label synchronization ondefaultand PSA enforces therestrictedprofile.This matches the OpenShift documentation guidance ("Do not run workloads in or share access to default projects") and the report in the linked downstream Jira (SRVKP-12017).
Change Type