Tekton Dashboard read-only install issue #1355
Comments
|
How are you installing the dashboard? This looks very similar to the breaking change mentioned in #1327 but that's not included in a release yet so should only be encountered on master or using a nightly build:
In this case the deployment would need to be deleted before applying the new version. You mentioned dashboard v0.6.1 in the description.
|
|
@AlanGreene , I installed Tekton Dashboard by following the steps in the link -https://github.com/tektoncd/dashboard |
|
From the error in the issue description it looks like you had either a nightly build or a local build from master installed at some point which contains the change from #1327. As I mentioned above this introduces a breaking change. These labels are not present in any released dashboard version. To resolve this error please delete the dashboard deployment and you should then be able to re-install the 0.6.1 release.
|
|
@AlanGreene , So, if an admin user (who only have access to tekton pipeline namespace) can only install the dashboard, can non-admin user use it? If so, could you provide details on how the non-admin user can access the dashboard? Can we have the dashboard running forever (may be similar to a service)? More details would be helpful. Thanks! |
|
Did deleting the deployment and re-installing resolve your issue? For your other questions:
Yes. There are a number of ways users can access the dashboard, which one you use depends on your specific requirements. See the README for details of accessing it via You may also choose to expose the dashboard via a route or ingress, see https://github.com/tektoncd/dashboard/#optionally-set-up-the-ingress-endpoint for an example of one approach to doing this.
Yes this is how it works by default. Installing the dashboard creates a deployment that will ensure the dashboard pod remains running as long as you wish. |
|
@AlanGreene , Thanks Much! Since, other users were using the pipeline, I didn't do any reinstall yet. Slated for the weekend work. Will let you know. |
|
@AlanGreene - Below are my test results. Could you please let me know what I'm missing.
My questions are
All I'm trying to do is get a non-admin user to launch the dashboard and use it in his/her own namespace. Thanks! |
|
Are you trying to install from The behavior you're experiencing was introduced here: #1327 Upgrading an already deployed release will not work, you will need to delete the |
|
If the non-admin users cannot access the tekton-pipelines namespace you would need to expose it via ingress instead as they won't be able to use the proxy or port-forward methods. Bear in mind that if you're installing the dashboard in read-write mode (default), any user who can access the dashboard can perform actions with the same permissions as the ServiceAccount used by the dashboard. This means they could potentially be able to create PipelineRuns, pods, and other resources in other namespaces. How you configure and expose the ingress will depend on your environment. See #1018 for discussions about installing a namespace-scoped dashboard. This is something we're currently considering adding and may be of interest for your use case. @eddycharly the issue related to #1327 was addressed above and already resolved. Thanks |
|
@AlanGreene - Sorry. Revisiting this issue again. Regarding your below note on read-write mode, if I install in read-only mode as admin user and configure ingress, can all non-admin users access Dashboard in read-only mode?
I really need namespace-scoped dashboards as this is what meet our needs. Could you please let me know when this would be available? |
Right, read-only vs read-write is an install choice not depending on the user accessing the dashboard. Same for all.
This is currently being worked on here #1371. This needs review and testing but most of the things have been implemented. |
|
@eddycharly - Thanks! Even if I install in read-only mode (which needs admin user to install) ,still the non-admin user need to have access to the 'tekton-pipeline' namespace to view the Tekton dashboard. Could you please confirm? Is there any way to grant 'read-only' access to a namespace ? If so, for time-being, I can grant read-only access to the 'tekton-pipeline' namespace so they can view their pipelines. I tested reinstalling Tekton Dashboard in read-only mode.
|
Not sure about your setup, you should have an ingress to allow incoming traffic to the dashboard. Are you talking about
What are you trying to do exactly ? |
|
@eddycharly , This is what I'm trying to do. `Optionally set up the Ingress endpoint Create the Ingress: kubectl apply ingress/basic-dashboard-ingress.yaml Retrieve a publicly available IP address (in this case running on a laptop connected to a public network): ip=$(ifconfig | grep netmask | sed -n 2p | cut -d ' ' -f2) |
|
The idea here is that you configure an
Once the ingress/ingress controller is ok, you will need a dns record to point to your ingress controller, this is where the link you're trying to follow suggests using nip.io.
Nope, when all this is setup correctly the dashboard will work like any other website, using regular http requests. To summarize, things will work like this:
There are a lot of things going on here and there is no single solution, it will depend on your infrastructure for some parts. How is your cluster built ? |
|
@eddycharly - Sorry for delayed reply. Cluster is on Linux VM and I'm accessing the cluster from my machine using kubectl. I'll retry again and get back on this. Thanks for all your help. |
|
Ok, don't hesitate if you need more help. I will try to make another doc, potentially using helm so that it is simpler to get something up and running. |
|
@eddycharly - Sorry.I meant using kubectl commands to deploy to Kubernetes (my pipelines). Looking forward to your documentation. For now, will retest and get back. Thanks! |
|
Closing as there doesn't appear to be any additional action required for the Dashboard. Let me know if I'm mistaken. |
Expected behavior
As an admin user, installation of Tekton Pipeline and Tekton Dashboard read-only in Kubernetes must be successful and non-admin users must be able to launch and view their Pipelines in Tekton Dashboard.
Actual behavior
As an admin user, installing Tekton Dashboard read-only (and the plain yaml as well) in Kubernetes resulted in an error.
Steps to reproduce the pro
kubectl apply -f tekton-dashboard-readonly.yaml customresourcedefinition.apiextensions.k8s.io/extensions.dashboard.tekton.dev unchanged serviceaccount/tekton-dashboard unchanged clusterrole.rbac.authorization.k8s.io/tekton-dashboard-minimal unchanged clusterrolebinding.rbac.authorization.k8s.io/tekton-dashboard-minimal unchanged service/tekton-dashboard unchanged The Deployment "tekton-dashboard" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"dashboard", "app.kubernetes.io/instance":"default", "app.kubernetes.io/name":"dashboard", "app.kubernetes.io/part-of":"tekton-dashboard"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutableEnvironment
Kubernetes Platform:
0.16.x
Tekton Pipelines version:
0.11.x
Tekton Triggers version:
Didn't install it
Tekton Dashboard version:
0.6.1
Additional Info
Tried installing as non-admin user and got many errors.
Questions:
It would be good to include more details in the documentation. Any details to resolve the above would be very helpful. Thanks!
The text was updated successfully, but these errors were encountered: