-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing permissions while tekton bundle resolver pulls from a private Google Artifact registry repository #7159
Comments
I have tried few other versions of Tekton as well like v0.49.0, v0.45.0, current nightly and so on. I get the same error. |
We are facing the exact same error while trying to refer both tasks and pipelines as bundles stored in our own private registry (google artifact registry) Task spec
Taskrun spec
Service account spec
|
@shruthipuranik thank you for reporting the issue, and apologies for the delay -- will try to find someone to look into this issue @anton-livewyer there's a small issue with your taskrun specification, you haven't specified the apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: remote-task-reference
spec:
serviceAccountName: default
taskRef:
resolver: bundles
params:
- name: bundle
value: us-central1-docker.pkg.dev/<project-name>/tekton-test/task:task
- name: name
value: demo-task
- name: kind
value: task
- name: serviceAccount
value: default |
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
Hi @shruthipuranik, thanks for reporting this bug! I have opened an PR to fix it. Unfortunately the service account approach doesn't work since the feature is implemented, and I believe the tests are also missing, error is also omitted as you mentioned so the root cause (the resolver doesn't have the permission to read ServiceAccount from the cluster) of your case is also hidden. We will change the bundle resolver to pass in a secret name instead of a service account name. So you don't need to create a SA and attach secret to it. If you want to quick fix, you could grant SA read permission to resolver.
to
and patch this yaml to your cluster. But this is not recommended due to security concerns. Will keep you updated about the fix PR as well. |
Thank you. I'm gonna wait for this PR to be merged and be available in the latest tekton release. Do you have any estimate for how long it would take? |
It will be this month: https://github.com/tektoncd/pipeline/milestone/74. |
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
Hi @Yongxuanzhang, I tried out your temporary fix with patching the cluster role yaml. But I see the same error again. Any suggestions? |
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
This commit fixes tektoncd#7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
This commit fixes #7159. The bundle resolver's service account doesn't have the permission to fetch the service account which contains the credientials to pull bundle, and the error is also omitted. This commit changes to use secret directly, without granting SA read permissions to resolver. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
Oh sorry, I missed this comment. I wonder if you're able to install Tekton's latest main? The fix PR is merged |
Would this be part of the latest nightly/staging release? Or is it already merged to the latest official release? And instead of service account in the params, I pass the secret to make this work as follows?
|
It should be in next official release. I wonder if you can install the latest main (clone the repo, and run Yes, this example is correct, as long as the artifact-registry is the name of the secret in your default namespace |
It would be |
Tried this out with the nightly release and it's working! |
Cool! I will close this issue, and if you have any suggestions feel free to reopen it. |
Expected Behavior
tekton pipelines bundle resolver pulls the image from Google artifact registry using the service account passed in the pipeline run spec.
Actual Behavior
Error retrieving pipeline for pipelinerun default/: error requesting remote resource: error getting "bundleresolver" "default/bundles-b662ee4154232724d067bb82f6b25578": cannot retrieve the oci image: GET https://us-west2-docker.pkg.dev/v2/token?scope=repository%!A(MISSING)%!F(MISSING)%!F(MISSING)%!A(MISSING)pull&service=: DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects//locations/us-west2/repositories/" (or it may not exist)
Steps to Reproduce the Problem
This throws the error as follows:
Additional Info
Things I have tried out already:
pipeline/pkg/resolution/resolver/bundle/resolver.go
Line 97 in f5578a8
Please let me know if I'm missing anything
The text was updated successfully, but these errors were encountered: