Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EventListener Sink Pod crash loops if it does not get access to cluster scoped resources #1780

Open
hochbit opened this issue Nov 27, 2024 · 0 comments
Open

EventListener Sink Pod crash loops if it does not get access to cluster scoped resources #1780

hochbit opened this issue Nov 27, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@hochbit
Copy link

hochbit commented Nov 27, 2024

Expected Behavior

Event listener sink pod starts with a service account which is not allowed to access cluster scope resources and the event listener runs and I can use it within my namespace by for example an cronjob and the pod does not bother about cluster scoped resources if I do not use any.

Actual Behavior

Pod crashes with following errors:

W1127 07:05:21.463490       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475191       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476850       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476882       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475299       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476940       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476936       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476986       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476982       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477011       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477602       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477641       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477656       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477660       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.297952       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.298001       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.395103       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.395149       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.411167       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.411192       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.739110       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.739163       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.840273       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.840317       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.865625       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.865664       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.901476       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.901514       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:23.990100       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:23.990141       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.194274       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.194324       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.543095       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.543150       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.594044       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.594092       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.635383       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.635416       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:25.847764       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:25.847865       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:26.015209       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:26.015251       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.000300       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.000363       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.384131       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.384166       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.606654       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.606691       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.309260       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.309316       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.894386       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.894439       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:30.555874       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:30.555915       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:31.816391       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:31.816461       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.264871       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.264908       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.274666       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.274687       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:37.840359       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:37.840426       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:38.915801       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:38.915847       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:40.829727       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:40.829765       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.031913       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.031965       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.468118       1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.468148       1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
2024/11/27 07:05:51 failed to start informers:failed to wait for cache at index 0 to sync
Stream closed EOF for my-namespace/el-cron-events-674b8d479b-8wzmp (event-listener)

Steps to Reproduce the Problem

  1. Create a ServiceAccount, Role, RoleBinding for all resources normally supplied to the Eventlistener except ClusterScoped resources
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton
rules:
- apiGroups:
  - triggers.tekton.dev
  resources:
  - eventlisteners
  - triggerbindings
  - interceptors
  - triggertemplates
  - triggers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - tekton.dev
  resources:
  - pipelineruns
  - pipelineresources
  - taskruns
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton
subjects:
- kind: ServiceAccount
  name: tekton
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton
  1. Create a Eventlistener that uses this service account
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: cron-events
spec:
  serviceAccountName: tekton
  triggers:
    - name: cron-trig
      interceptors: []
      bindings:
      - ref: mirror-repo
        kind: TriggerBinding # Optional: Adding this did also not help
      template:
        ref: mirror-repo
  namespaceSelector:
    matchNames:
    - my-namespace  # Optional: Adding that did acutally add an argument in the pod - but it is still crashing
  1. See the event listener sink pod crashing

Additional Info

  • Kubernetes version: v1.31.2

    Output of kubectl version:

    Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.31.2

  • Tekton Pipeline version:

Client version: 0.38.1
Pipeline version: v0.65.2
Triggers version: v0.30.0
@hochbit hochbit added the kind/bug Categorizes issue or PR as related to a bug. label Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hochbit