Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Namespaced controller should not list cluster namespaces #2603

Closed
dghubble opened this issue May 12, 2020 · 1 comment · Fixed by #2604
Closed

Namespaced controller should not list cluster namespaces #2603

dghubble opened this issue May 12, 2020 · 1 comment · Fixed by #2604
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.

Comments

@dghubble
Copy link
Contributor

Expected Behavior

#2144 added a command --namespace to allow the controller to be used in a more namespace-scoped way, watching only a single namespace. Accordingly, we use a restricted ClusterRole that does not permit any cluster-level namespace access.

Actual Behavior

Tekton controller errors trying to list cluster namespaces. Fortunately, Tekton continues anyway and functions fine.

{"level":"info","logger":"tekton","caller":"sharedmain/main.go:194","msg":"tekton will not run in leader-elected mode","commit":"ab391e7"}                                                    
{"level":"error","logger":"tekton","caller":"reconciler/timeout_handler.go:192","msg":"Can't get namespaces list: namespaces is forbidden: User \"system:serviceaccount:tekton:tekton-controller\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope","commit":"ab391e7","stacktrace":"github.com/tektoncd/pipeline/pkg/reconciler.(*TimeoutSet).CheckTimeouts\n\t$ithub.com/tektoncd/pipeline/pkg/reconciler/timeout_handler.go:192\ngithub.com/tektoncd/pipeline/pkg/reconciler/taskrun.NewController.func1\n\tgithub.com/tektoncd/pipeline/pkg/reconciler/tas$run/controller.go:91\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain.ControllersAndWebhooksFromCtors\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injecti$n/sharedmain/main.go:381\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain.MainWithConfig.func2\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/shar$dmain/main.go:168\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain.MainWithConfig\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain/main.g$:195\ngithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain.MainWithContext\n\tgithub.com/tektoncd/pipeline/vendor/knative.dev/pkg/injection/sharedmain/main.go:128\nmain.$ain\n\tgithub.com/tektoncd/pipeline/cmd/controller/main.go:72\nruntime.main\n\truntime/proc.go:203"}
{"level":"info","logger":"tekton.pipeline-controller","caller":"pipelinerun/controller.go:91","msg":"Setting up event handlers","commit":"ab391e7","knative.dev/controller":"pipeline-control$er"}
...

Steps to Reproduce the Problem

Set a specific namespace Tekton should watch and check the logs when it starts.

     ...
      - name: tekton-controller
        image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.12.0
        args:
          - --namespace=tekton
          - --entrypoint-image=gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.12.0@sha256:67f93630931aae98f449b5dfb764d80f7ada7c3c67950c1563ed4ec406fad2f9
          - --shell-image=busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6

Lockdown the ClusterRole to something more comfortable.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-controller
rules:
  - apiGroups:
      - tekton.dev
    resources:
      - clustertasks
      - clustertasks/status
    verbs:
      - get
      - list
      - create
      - update
      - delete
      - patch
      - watch

Additional Info

  • Kubernetes version: v1.18.2
  • Tekton Pipeline version: v0.12.0
@dghubble dghubble mentioned this issue May 12, 2020
Merged
3 tasks
@vdemeester
Copy link
Member

/kind cleanup

@tekton-robot tekton-robot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label May 12, 2020
@vdemeester vdemeester added the kind/bug Categorizes issue or PR as related to a bug. label May 12, 2020
tekton-robot pushed a commit that referenced this issue May 18, 2020
@dghubble @tekton-robot
Change TimeoutHandler to respect namespace scoping
f843899 
* Pass `--namespace` value to taskrun and pipelinerun NewController
to facilitate namespace-scoped behaviors
* Change TimeoutHandler `CheckTimeouts` to timeout taskrun/pipelinerun's
in the scoped namespace or all namespaces (default if unset)

Related: #2603
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change TimeoutHandler to respect namespace scoping
3 participants
@vdemeester @dghubble @tekton-robot