Skip to content

feat: add ServiceAccount inheritance to Affinity Assistants #9253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vdemeester wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add ServiceAccount inheritance to Affinity Assistants #9253

vdemeester wants to merge 1 commit into from

Conversation

@vdemeester
Copy link
Member

@vdemeester vdemeester commented Dec 18, 2025

Changes

This PR adds ServiceAccount inheritance to Affinity Assistant pods, resolving OpenShift SCC permission failures.

Changes:

  • Added ServiceAccountName field to AffinityAssistantTemplate API
  • Implemented 3-tier priority for ServiceAccount configuration:
    1. Explicit override from AffinityAssistantTemplate
    2. Inherit from PipelineRun's TaskRunTemplate (default)
    3. Empty string (Kubernetes defaults to "default")
  • Updated affinity assistant StatefulSet creation to set ServiceAccountName
  • Added comprehensive tests (5 test functions, 234 lines)
  • Updated documentation in docs/affinityassistants.md and docs/pipelineruns.md

Motivation:
In OpenShift environments, pods are restricted by Security Context Constraints (SCC) based on their ServiceAccount. Previously, affinity assistant pods always used the namespace's "default" ServiceAccount, which often lacks required SCC permissions. This caused PipelineRuns with workspace coscheduling to fail in OpenShift.

By inheriting the PipelineRun's ServiceAccount by default, affinity assistants now automatically get appropriate permissions, making the feature work out-of-box in security-restricted environments.

Submitter Checklist

  • Has Docs if any changes are user facing, including updates to minimum requirements
  • Has Tests included if any functionality added or changed
  • pre-commit Passed
  • Follows the commit message standard
  • Meets the Tekton contributor standards
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>
  • Release notes block below has been updated with any user facing changes

Release Notes

Affinity Assistant pods now inherit the serviceAccountName from PipelineRun's taskRunTemplate by default, ensuring proper permissions in security-restricted environments like OpenShift with Security Context Constraints (SCC). This can be overridden via the AffinityAssistantTemplate if needed.

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Dec 18, 2025
@tekton-robot
Copy link
Collaborator

tekton-robot commented Dec 18, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from vdemeester after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vdemeester
Copy link
Member Author

vdemeester commented Dec 18, 2025

/kind feature

@tekton-robot tekton-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. labels Dec 18, 2025
@vdemeester
feat: add ServiceAccount inheritance to Affinity Assistants
7c05a08 
- Resolve OpenShift SCC permission failures for affinity pods
- Inherit PipelineRun ServiceAccount by default for proper permissions
- Support explicit override via AffinityAssistantTemplate

Signed-off-by: Vincent Demeester <[email protected]>
@vdemeester vdemeester force-pushed the fix-srvkp-7327-affinity-assistant-sa branch from 3e7772a to 7c05a08 Compare December 22, 2025 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jerop jerop Awaiting requested review from jerop

@twoGiants twoGiants Awaiting requested review from twoGiants

Assignees

No one assigned

Labels

kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

Tekton Community Roadmap
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vdemeester @tekton-robot