On OpenShift, the default namespace is classified as a "highly privileged" system namespace. Pod Security Admission (PSA) label synchronization is permanently disabled on it by the platform.
This means that even though the operator correctly creates the pipeline ServiceAccount and RBAC bindings in the default namespace, PipelineRuns will fail with permissionDenied errors because PSA enforces the restricted profile and the SCC-to-PSA label sync never runs there.
Custom/user-created namespaces work fine because the Cluster Policy Controller automatically syncs SCC privileges into PSA labels.
OpenShift docs explicitly state: "Do not run workloads in or share access to default projects."
Request: Add documentation (e.g. in the OpenShift platform docs or a troubleshooting guide) noting that the default namespace is not supported for running pipelines, and users should use dedicated namespaces.
Related downstream Jira: https://redhat.atlassian.net/browse/SRVKP-12017
On OpenShift, the
defaultnamespace is classified as a "highly privileged" system namespace. Pod Security Admission (PSA) label synchronization is permanently disabled on it by the platform.This means that even though the operator correctly creates the
pipelineServiceAccount and RBAC bindings in thedefaultnamespace, PipelineRuns will fail withpermissionDeniederrors because PSA enforces therestrictedprofile and the SCC-to-PSA label sync never runs there.Custom/user-created namespaces work fine because the Cluster Policy Controller automatically syncs SCC privileges into PSA labels.
OpenShift docs explicitly state: "Do not run workloads in or share access to default projects."
Request: Add documentation (e.g. in the OpenShift platform docs or a troubleshooting guide) noting that the
defaultnamespace is not supported for running pipelines, and users should use dedicated namespaces.Related downstream Jira: https://redhat.atlassian.net/browse/SRVKP-12017