Pipeline tutorial: Service-Account is forbidden deployment

[JCzz]

From this tutorial:
https://github.com/tektoncd/pipeline/blob/master/docs/tutorial.md#pipeline

I can run tasks but when getting to pipelines I get Service Account forbidden, but I do have the service account, the ClusterRole and the ClusterRoleBinding setup - have you seen this?

kubectl -n default logs tutorial-pipeline-run-1-deploy-web-kjntq-pod-880449 -c step-run-kubectl
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "leeroy-web", Namespace: "default"
Object: &{map["apiVersion":"apps/v1" "kind":"Deployment" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "labels":map["app":"leeroy-web"] "name":"leeroy-web" "namespace":"default"] "spec":map["replicas":'\x01' "selector":map["matchLabels":map["app":"leeroy-web"]] "template":map["metadata":map["labels":map["app":"leeroy-web"]] "spec":map["containers":[map["image":"gcr.io/appsyouwear/leeroy-web" "name":"leeroy-web" "ports":[map["containerPort":'\u1f90']]]]]]]]}
from server for: "/workspace/source/examples/microservices/leeroy-web/kubernetes/deployment.yaml": deployments.apps "leeroy-web" is forbidden: User "system:serviceaccount:default:tutorial-service" cannot get resource "deployments" in API group "apps" in the namespace "default"

[bobcatfish]

Interesting! Thanks for reporting this @JCzz , it looks like the service account that the tutorial has you create contains docker credentials:

kubectl create secret docker-registry regcred \
                    --docker-server=<your-registry-server> \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \
                    --docker-email=<your-email>

but doesn't have permission to interact with other resources in your cluster :(

The fix will probably be to give more permissions to the service account - for example tekton itself uses this service account which via this role binding is given these permissions. Your service account wont need as many of those, but it will need some access to deployments at least :(

This is a bug in that the tutorial is (probably?) broken (and also reveals that we need tests for the tutorial).

@JCzz what kind of kubernetes instance are you running this against? e.g. GKE, minikube, etc.

[JCzz]

Hi @bobcatfish

Thanks for your reply, I am on a GKE cluster.

[bobcatfish]

@afrittoli have you already started looking into this? if not i think i can take it on

[JCzz]

I got it to working elevating tutorial-service

[bobcatfish]

Looks like this was fixed in #2034 thanks again @itoutki !!