Tekton PipelineRun Debugging: Find and Fix Failures (2026)

A PipelineRun in Tekton failed because a TaskRun within it didn’t complete successfully, and the system couldn’t proceed to the next stage.

This usually means the TaskRun itself encountered an error in one of its steps, or a prerequisite Task or PipelineResource wasn’t available.

Common Causes and Fixes:

1. Step Failure within a Task:

   • Diagnosis: Check the logs for the TaskRun that failed. The error message will be in the output of one of the steps defined in the Task.

     kubectl logs <failed-taskrun-name> -c <step-container-name> -n tekton-results
     

     Look for non-zero exit codes in the step output.
   • Fix: Modify the Task definition to correct the command or script that failed. For example, if a kubectl apply command failed due to an invalid resource, fix the YAML in your Git repository and update the Task to point to the corrected source.

     # Example: Correcting a Docker build command
     steps:
     - name: build-image
       image: gcr.io/cloud-builders/docker
       script: |
         #!/usr/bin/env bash
         docker build -t my-repo/my-image:latest .
         # Ensure the tag is valid and the registry is accessible.
     

   • Why it works: Tekton executes the steps as containers. If a container exits with a non-zero status, the TaskRun fails. Fixing the underlying command or script resolves the exit code.

2. Missing or Incorrect PipelineResource:

   • Diagnosis: If your Task depends on PipelineResources (like Git repositories or container images), ensure they are correctly defined and accessible. Check the TaskRun events for errors related to fetching resources.

     kubectl describe taskrun <failed-taskrun-name> -n tekton-results
     

     Look for messages like "failed to clone repository" or "image not found."
   • Fix: Verify the url or image fields in your PipelineResource definition are correct, and that the service account used by Tekton has permissions to access private repositories or registries.

     # Example: Correcting a GitPipelineResource
     apiVersion: tekton.dev/v1alpha1
     kind: PipelineResource
     metadata:
       name: my-git-repo
     spec:
       type: git
       params:
         - name: url
           value: "https://github.com/my-org/my-project.git" # Corrected URL
         - name: revision
           value: "main"
     

   • Why it works: PipelineResources are how Tekton fetches external dependencies. If these are misconfigured, the Task cannot get the necessary input, leading to failure.

3. Service Account Permissions:

   • Diagnosis: If your Task steps need to interact with Kubernetes resources (e.g., kubectl apply, kubectl get), the ServiceAccount associated with the TaskRun might lack the necessary RBAC permissions. Check the TaskRun logs for "permission denied" or "forbidden" errors.

     kubectl logs <failed-taskrun-name> -c <step-container-name> -n tekton-results
     

   • Fix: Grant the required permissions to the ServiceAccount used by the TaskRun via Role and RoleBinding (or ClusterRole and ClusterRoleBinding).

     # Example: Granting 'create' permission on 'deployments'
     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: tekton-pipeline-deploy-binding
       namespace: tekton-results
     subjects:
       - kind: ServiceAccount
         name: default # The ServiceAccount your TaskRun uses
         namespace: tekton-results
     roleRef:
       kind: Role
       name: deployment-manager # A Role that grants 'create' on 'deployments'
       apiGroup: rbac.authorization.k8s.io
     

   • Why it works: Kubernetes enforces access control through RBAC. The ServiceAccount acts as the identity for the pod running your Task steps, and it needs explicit permissions to perform actions on cluster resources.

4. Incorrect image in a Step:

   • Diagnosis: If a step uses an image that doesn’t exist or is misspelled, the container will fail to start. Check the TaskRun events or the pod logs for "ErrImagePull" or "ImagePullBackOff."

     kubectl describe pod <taskrun-pod-name> -n tekton-results
     

   • Fix: Correct the image name in the Task definition to a valid and accessible container image.

     # Example: Correcting an image name
     steps:
     - name: check-version
       image: ubuntu:20.04 # Corrected image tag
       script: echo "Running on Ubuntu $(lsb_release -sr)"
     

   • Why it works: The container runtime cannot pull an image that doesn’t exist or is specified incorrectly, preventing the step from executing.

5. Missing Results Definition in Task:

   • Diagnosis: If a Task defines results that a Pipeline expects, but the Task definition itself doesn’t correctly output them (e.g., missing results section or incorrect path), the PipelineRun can fail. Look for errors indicating missing results in the PipelineRun events.

     kubectl describe pipelinerun <failed-pipelinerun-name> -n tekton-results
     

   • Fix: Ensure the Task correctly declares its results and that the steps write to the specified path within the Task’s results directory.

     # Example: Task definition with results
     apiVersion: tekton.dev/v1alpha1
     kind: Task
     metadata:
       name: build-and-tag
     spec:
       results:
         - name: image-digest
           description: Digest of the built image
           path: $(results.image-digest.path) # Path to write the digest
       steps:
         - name: build
           image: gcr.io/cloud-builders/docker
           script: |
             docker build -t my-image:latest .
             docker push my-image:latest
     
             DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' my-image:latest)
     
             echo "$DIGEST" > $(results.image-digest.path) # Writing to the declared path
     

   • Why it works: Tekton uses results to pass information between Tasks in a Pipeline. If a Task fails to produce an expected result, the Pipeline cannot proceed.

6. Volume Mount Issues:

   • Diagnosis: If a Task relies on persistent storage or shared volumes, and these are not correctly configured or mounted, steps might fail due to missing files or directories. Check pod logs for "No such file or directory" errors.

     kubectl logs <failed-taskrun-name> -c <step-container-name> -n tekton-results
     

   • Fix: Ensure volumes are defined in the Task or Pipeline and correctly mounted in the relevant steps. If using PersistentVolumeClaims, verify they are bound and available.

     # Example: Mounting a volume for shared workspace
     apiVersion: tekton.dev/v1alpha1
     kind: Task
     metadata:
       name: process-files
     spec:
       steps:
         - name: process
           image: ubuntu
           volumeMounts:
             - name: shared-data
               mountPath: /data
       volumes:
         - name: shared-data
           emptyDir: {} # Or a PVC
     

   • Why it works: Steps need access to the filesystem to read input or write output. Incorrect volume configuration means the necessary directories or files won’t be present.

The next error you’ll likely encounter after fixing these is a PipelineRun failure due to a different TaskRun failing, or a TaskRun failing for a reason not covered above, such as a resource quota being exceeded in the namespace.