Unable to use parameters for setting runAsUser and runAsGroup in securityContext

[BugsBuggy]

Hello Tekon community! While trying to make the runAsUser and runAsGroup fields in the securityContext dynamic by referencing parameters in a PipelineRun and TaskRun, an error occurs during admission:

An error occurred admission webhook "webhook.pipeline.tekton.dev" denied the request: mutation failed: cannot decode incoming new object: json: cannot unmarshal string into Go struct field PodSecurityContext.spec.podTemplate.securityContext.runAsGroup of type int64

This seems to indicate that the securityContext parameters expect integer values directly and cannot accept string parameters.

Here are examples for Task & TaskRun that demonstrate the issue:

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: task-with-uid-gid
spec:
  params:
  - name: uid
    description: User ID for running the task
    default: "1000"
  - name: gid
    description: Group ID for running the task
    default: "1000"
  steps:
  - name: example-step
    image: ubuntu
    script: |
      echo "Running as UID: $(id -u) and GID: $(id -g)"

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: task-run-custom-security-context
spec:
  params:
  - name: uid
    value: 12345 # "12345" both don't work
  - name: gid
    value: 12345 # "12345" both don't work
  taskRef:
    name: task-with-uid-gid
  podTemplate:
    securityContext:
      runAsUser: $(params.uid)
      runAsGroup: $(params.gid)

Is there a known workaround or alternative solution for this?
Is this behavior expected or is it addressed in future versions of Tekton?

[vdemeester]

As of today, there is no workaround to make runAsUser and runAsGroup "parametrizable". This is a known limitation to our approach today : parameters are strings, and it can't be "interpolated" in anything that isn't a string. And runAsUser/runAsGroup are integers…

We however need to fix that as this is a valid use case and seems to come up more and more. This is very similar to #4080 (but with different "types"). And in general with the fact that our substitution behavior only work on a set of pre-defined field — where we could make it way more generic.

[BugsBuggy]

Thank you, the issue you mentioned is indeed very helpful. I really hope that you'll provide a generic solution with different "types".

[lhmoraes]

Hello Tekon, I'm trying to use podTemplate and serviceAccountName in the same PipelineRunscript (tekton.dev/v1) and I'm getting

Error from server (BadRequest): error when creating "runPipeline.yaml": admission webhook "webhook.pipeline.tekton.dev" denied the request: mutation failed: cannot decode incoming new object: json: unknown field "podTemplate"

It's because podTemplate is not supported in tekton.dev/v1 yet, do we have any workaround for that? Thx

apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  generateName: pipeline-parla-
spec:

  pipelineRef:
    name: pipeline-parla

  podTemplate:
    securityContext:
      runAsUser: 1000
      runAsGroup: 2000

  taskRunTemplate:
    serviceAccountName: service-account-kubectl
  taskRunSpecs:
    - pipelineTaskName: task-deploy-app
      serviceAccountName: service-account-git-credentials
    - pipelineTaskName: task-git-source
      serviceAccountName: service-account-git-credentials
    - pipelineTaskName: task-build-packs
      serviceAccountName: service-account-buildpacks

...
...

[vdemeester]

@lhmoraes this seems like a complete different issue, so you should probably have created an issue for this instead of commenting here 🙃. But to answer, as documented here, for v1 there is no podTemplate under the spec.

spec:
  pipelineRef:
    name: mypipeline
  taskRunTemplate: 
    podTemplate:
        # […]