tekton pipeline deploy step fails - can't create directory: './chart/some-folder' permission denied about ibm-garage-tekton-tasks HOT 12 CLOSED

Someone has the same issue at ticket#131 and there are 12 other people I know with the same issue - I think this issue is critical. Can this be resolved?

from ibm-garage-tekton-tasks.

There is issues with v2.7.1 deploy task: permission denied. can you please help fix it?
@triceam
@Hemankita
@seansund

from ibm-garage-tekton-tasks.

@schijioke-uche What version of OpenShift? and does the user have admin or restricted access?

from ibm-garage-tekton-tasks.

@triceam : v4.7.16 and the user have admin rights on the cluster.
In addition, here is the pipeline applied policy:

• oc adm policy add-scc-to-user privileged -z pipeline
• oc adm policy add-role-to-user edit -z pipeline

Thank you.

from ibm-garage-tekton-tasks.

@triceam - any update?

from ibm-garage-tekton-tasks.

@schijioke-uche still have not been able to recreate it yet. A few of us are trying to reproduce it

from ibm-garage-tekton-tasks.

@lsteck : - any update about fixing this bug?

from ibm-garage-tekton-tasks.

@schijioke-uche FYI @triceam @csantanapr

OK, I found root cause. GIT-CLONE step is running as root and DEPLOY step is running as devops.

I've found 2 ways to fix on 4.7. I need to test/verify these on 4.6 so until I can do that and push the fix to get you going you can edit the ibm-deploy-<version> (example ibm-deploy-v2-6-13) task in your project namespace and do one of the following:

1. Add sudo chown -R "$(whoami)" "${CHART_ROOT}" line above the cp -R "${CHART_ROOT}/${CHART_NAME}" "${CHART_ROOT}/${APP_NAME}" line that is failing
2. Add

    securityContext:
       runAsUser: 10000

To the git-clone step
For example it should look like this

  steps:
    - env:
         <lines omitted> 
      image: quay.io/ibmgaragecloud/alpine-git
      name: git-clone
      securityContext:
        runAsUser: 10000
      resources: {}

FYI you will have to make the same change to ibm-helm-release-v2-6-13 task

from ibm-garage-tekton-tasks.

After testing on OCP 4.6 I believe it is best to put the securityContext on BOTH steps in deploy task (git-clone & deploy) and helm-release task(git-clone & package-helm).

TL;DR

On ocp 4.6 it looks like a random UID is selected and both steps in the task are ran as the same UID. That is why it currently works.

On ocp 4.7 the git-clone step is running as root and the deploy and package-helm steps are running as user devops as defined in the image: quay.io/ibmgaragecloud/ibmcloud-dev

from ibm-garage-tekton-tasks.

Wow 😯 Interesting find @lsteck

In OpenShift the default scc is to not run as root, did you added privilege scc to the pipeline service account ?

from ibm-garage-tekton-tasks.

@lsteck
I proposed the following fix

Option 1:
Update any task that is trying to write in the directory /source that it moves the files to a new directory at the top level /source like /source/helm/

The user id in container 2 has write permissions to /source but not to /source/$gitrepofokderhelm so it should work

If this doesn't work then I will have the git-clone task do a chmod -R on /source to give read and write access to anyone so any following task can write files inside the git repo folder

from ibm-garage-tekton-tasks.

@schijioke-uche I fix the issue can you verify the fix using the release https://github.com/IBM/ibm-garage-tekton-tasks/releases/tag/v2.7.2

from ibm-garage-tekton-tasks.