Deploying image to Knative service using knctl/kubectl in tekton pipeline

There is no one way you could approach deploying a Knative Service with Tekton, but a couple key things to consider are as follows. These instructions assume proper installation of both Tekton/Knative Serving on a Kubernetes cluster.

ServiceAccount permissions to create a Knative Service

Tekton allows the use of Kubernetes ServiceAccounts to assign permissions (e.g. creating a Knative service) so that a TaskRun or PipelineRun (i.e. the execution of a Tekton CI/CD process) is able to create and update certain resources. In this case, the creation of a Knative Service.

In order to create a ServiceAccount with permissions to create and update a Knative Service, you would need to create a role that is similar to what is shown below:

kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:  name: create-knative-service  namespace: defaultrules:  # Create and update Knative Service  - apiGroups: ["serving.knative.dev"]    resources: ["services"]    verbs: ["get", "create", "update"]

The Role above allows for the creation and updating of Knative Services.

The Role can be associated with a ServiceAccount via a RoleBinding, which assumes the creation of a ServiceAccount:

---kind: ServiceAccountapiVersion: v1metadata:  name: tekton-sa  namespace: default---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:  name: create-knative-service-bindingsubjects:  - kind: ServiceAccount    name: tekton-sa    namespace: defaultroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: create-knative-service

Once the Role, RoleBinding, and ServiceAccount are available, you can use this ServiceAccount during a TaskRun or PipelineRun depending on how you are deploying a Knative Service. The ServiceAccount to use can be specified via the ServiceAccountName property of a TaskRun or PipelineRun.

If you are using the Tekton cli (tkn), you can use -s flag to specify what ServiceAccount to use when starting a PipelineRun or TaskRun:

tkn pipeline start knative-service-deploy -s tekton-sa 

NOTE: The Role and RoleBinding examples are for a specific case that only allows deployment of the Knative Service to the same namespace where the TaskRun/PipelineRun is executing.

What step image to use to deploy the Knative Service

To deploy the Knative Service via a TaskRun or PipelineRun, you will need to create a Task with a Step that deploys the Knative Service. There is no one tool that you could use in this case as you mention as far as using kubectl, kn, or any other tool to deploy to Kubernetes.

The important things for Tekton to know is the Task definition, the image used by the Step, and the command to run to deploy the Knative Service. An example using kn is shown below:

apiVersion: tekton.dev/v1beta1kind: Taskmetadata:  name: deploy-knative-servicespec:  # Step to create Knative Service from built image using kn. Replaces service if it already exists.  steps:     - name: kn      image: "gcr.io/knative-releases/knative.dev/client/cmd/kn:latest"      command: ["/ko-app/kn"]      args: ["service",         "create", "knative-service",         "--image", "gcr.io/knative-samples/helloworld-go:latest",         "--force"]

In the example above, a Task is defined with one Step called kn. The Step uses the official kn image; specifies to run the kn root command; and then passes arguments to the kn command to create a Knative Service named knative-service, use an image for the Knative Service named gcr.io/knative-samples/helloworld-go, and the --force flag that updates the Knative Service if it already exists.

EDIT: Adding kubectl Example

The question asks about using kubectl, so I am adding in an example of using kubectl in a Tekton Task to deploy a Knative Service from a YAML file:

apiVersion: tekton.dev/v1beta1kind: Taskmetadata:  name: deploy-knative-servicespec:  # Step to create Knative Service from YAML file using kubectl.  steps:    - name: kubectl      image: "bitnami/kubectl"      command: ["kubectl"]      args: ["apply", "-f", "https://raw.githubusercontent.com/danielhelfand/lab-knative-serving/master/knative/service.yaml"]

Summary

There is no exact way to answer this question, but hopefully the examples and main points help with considerations around permissions for a PipelineRun or TaskRun as well as how to use certain tools with Tekton.

I wanted to add that a "quick start" way to get knative service created in a Pipeline is to apply the existing kn Catalog task https://github.com/tektoncd/catalog/tree/master/task/kn/0.1 to your cluster, and then fashion a TaskRun/PipelineRun to run create with the options you require.https://github.com/knative/client/blob/master/docs/cmd/kn_service_create.md

apiVersion: tekton.dev/v1beta1kind: TaskRunmetadata:  generateName: kn-create-spec:  serviceAccountName: kn-account  taskRef:    name: kn  params:  - name: ARGS    value:    - "service"    - "create"    - "something"    - "--image=something"...

The same could be said of kubectl, using that Catalog Task.