diff --git a/guides/kfp_tekton_install.md b/guides/kfp_tekton_install.md index f43d29beaf..94d69c9810 100644 --- a/guides/kfp_tekton_install.md +++ b/guides/kfp_tekton_install.md @@ -26,7 +26,7 @@ A Kubernetes cluster `v1.23` that has least 8 vCPU and 16 GB memory. Depending on your situation, you can choose between the two approaches to set up the pipeline engine on Openshift: 1. Using [OpenShift Pipelines](https://docs.openshift.com/container-platform/4.12/cicd/pipelines/installing-pipelines.html) (built on Tekton), follow the [Standalone Kubeflow Pipelines with Openshift Pipelines Backend Deployment](#standalone-kubeflow-pipelines-with-openshift-pipelines-backend-deployment) - 2. Using [Tekton on Openshift](https://github.com/tektoncd/pipeline/blob/v0.44.2/docs/install.md#installing-tekton-pipelines-on-openshift), follow the [Standalone Kubeflow Pipelines with Tekton Backend Deployment](#standalone-kubeflow-pipelines-with-tekton-backend-deployment) to install the Kubeflow Pipeline Stack. + 2. Using [Tekton on Openshift](https://github.com/tektoncd/pipeline/blob/v0.44.2/docs/install.md#installing-tekton-pipelines-on-openshift), follow the [Standalone Kubeflow Pipelines with Tekton Backend Deployment](#standalone-kubeflow-pipelines-with-tekton-backend-deployment) to install the Kubeflow Pipeline Stack. Note the current Tekton Open Source deployment for [Openshift doesn't work out of the box](https://github.com/tektoncd/pipeline/issues/3452), so we strongly recommend to deploy with Opneshift Pipelines (see above) if you want to run Kubeflow Pipelines on Openshift. ### Other Cloud Providers or On-Prem Kubernetes Deployment @@ -83,7 +83,8 @@ To install the standalone Kubeflow Pipelines with Tekton, run the following step 7. (OpenShift only) If you are running the standalone KFP-Tekton on OpenShift, apply the necessary security context constraint below ```shell - oc apply -k manifests/kustomize/third-party/openshift/standalone + curl -L https://raw.githubusercontent.com/kubeflow/kfp-tekton/master/install/v1.7.0/kfp-tekton.yaml | yq 'del(.spec.template.spec.containers[].securityContext.runAsUser, .spec.template.spec.containers[].securityContext.runAsGroup)' | oc apply -f - + oc apply -k https://github.com/kubeflow/kfp-tekton//manifests/kustomize/third-party/openshift/standalone oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller oc adm policy add-scc-to-user anyuid -z tekton-pipelines-webhook ``` diff --git a/install/v1.6.5/kfp-tekton.yaml b/install/v1.6.5/kfp-tekton.yaml index 72d7a204c6..365c335d31 100644 --- a/install/v1.6.5/kfp-tekton.yaml +++ b/install/v1.6.5/kfp-tekton.yaml @@ -3107,7 +3107,9 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccountName: tekton-pipelineloop-controller @@ -3179,7 +3181,9 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccountName: tekton-pipelineloop-webhook diff --git a/install/v1.6.6/kfp-tekton.yaml b/install/v1.6.6/kfp-tekton.yaml index c69678bb4c..887e70ab2c 100644 --- a/install/v1.6.6/kfp-tekton.yaml +++ b/install/v1.6.6/kfp-tekton.yaml @@ -3107,7 +3107,9 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccountName: tekton-pipelineloop-controller @@ -3179,7 +3181,9 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccountName: tekton-pipelineloop-webhook diff --git a/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml b/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml index 9fd29fff0a..ac7357d674 100644 --- a/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml +++ b/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml @@ -5,3 +5,17 @@ resources: - ../tekton-custom-task namespace: openshift-pipelines + +patches: +- path: pipelineloop-controller-patch.yaml + target: + group: apps + kind: Deployment + name: tekton-pipelineloop-controller + version: v1 +- path: pipelineloop-webhook-patch.yaml + target: + group: apps + kind: Deployment + name: tekton-pipelineloop-webhook + version: v1 diff --git a/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-controller-patch.yaml b/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-controller-patch.yaml new file mode 100644 index 0000000000..c76d6c394f --- /dev/null +++ b/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-controller-patch.yaml @@ -0,0 +1,4 @@ +- op: remove + path: /spec/template/spec/containers/0/securityContext/runAsGroup +- op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser diff --git a/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-webhook-patch.yaml b/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-webhook-patch.yaml new file mode 100644 index 0000000000..c76d6c394f --- /dev/null +++ b/manifests/kustomize/third-party/openshift-pipelines-custom-task/pipelineloop-webhook-patch.yaml @@ -0,0 +1,4 @@ +- op: remove + path: /spec/template/spec/containers/0/securityContext/runAsGroup +- op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml index 008311b605..88c8ac4c36 100644 --- a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml @@ -59,6 +59,8 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml index ef8ab3ce39..4be6abd6cd 100644 --- a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml @@ -69,7 +69,9 @@ spec: capabilities: drop: - ALL + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault ---