Installing Tekton Operator

May 22, 2026 ยท View on GitHub

To configure images from a custom registry, follow the Air Gap Configuration guide.

  1. Install operator

    $ kubectl apply -f https://infra.tekton.dev/tekton-releases/operator/latest/release.yaml

    Note: This will also install pipelines, triggers, chains, and dashboard

  2. In case you want to install other components, use available installation profiles: lite , all, basic

    Where

    PlatformProfileInstalled Component
    Kubernetes, OpenShiftlitePipeline
    Kubernetes, OpenShiftbasicPipeline, Trigger, Chains
    KubernetesallPipeline, Trigger, Chains, Dashboard
    OpenShiftallPipeline, Trigger, Chains, Pipelines as Code, Addons

    To install pipelines, triggers, chains and dashboard (use profile 'all')

    $ kubectl apply -f https://raw.githubusercontent.com/tektoncd/operator/main/config/crs/kubernetes/config/all/operator_v1alpha1_config_cr.yaml

Platform notes

OpenShift: do not run pipelines in the default namespace

On OpenShift, the default namespace is classified as a "highly privileged" system namespace. Pod Security Admission (PSA) label synchronization is permanently disabled there by the platform, so even though the operator correctly creates the pipeline ServiceAccount and RBAC bindings in default, PipelineRuns submitted to that namespace fail with permissionDenied errors: PSA enforces the restricted profile and the SCC-to-PSA label sync never runs.

User-created namespaces are not affected because the Cluster Policy Controller automatically syncs SCC privileges into PSA labels. The OpenShift documentation has the same guidance (Do not run workloads in or share access to default projects).

Run pipelines in a dedicated namespace instead of default on OpenShift. See tektoncd/operator#3427 for the original report.