triggers
triggers copied to clipboard
tektoncd
EventListener Sink Pod crash loops if it does not get access to cluster scoped resources
Expected Behavior
Event listener sink pod starts with a service account which is not allowed to access cluster scope resources and the event listener runs and I can use it within my namespace by for example an cronjob and the pod does not bother about cluster scoped resources if I do not use any.
Actual Behavior
Pod crashes with following errors:
W1127 07:05:21.463490 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475191 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476850 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476882 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475299 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476940 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476936 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476986 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476982 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477011 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477602 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477641 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477656 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477660 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.297952 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.298001 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.395103 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.395149 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.411167 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.411192 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.739110 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.739163 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.840273 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.840317 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.865625 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.865664 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.901476 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.901514 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:23.990100 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:23.990141 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.194274 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.194324 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.543095 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.543150 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.594044 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.594092 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.635383 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.635416 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:25.847764 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:25.847865 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:26.015209 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:26.015251 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.000300 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.000363 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.384131 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.384166 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.606654 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.606691 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.309260 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.309316 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.894386 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.894439 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:30.555874 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:30.555915 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:31.816391 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:31.816461 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.264871 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.264908 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.274666 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.274687 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:37.840359 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:37.840426 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:38.915801 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:38.915847 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:40.829727 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:40.829765 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.031913 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.031965 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.468118 1 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.468148 1 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
2024/11/27 07:05:51 failed to start informers:failed to wait for cache at index 0 to sync
Stream closed EOF for my-namespace/el-cron-events-674b8d479b-8wzmp (event-listener)
Steps to Reproduce the Problem
- Create a ServiceAccount, Role, RoleBinding for all resources normally supplied to the Eventlistener except ClusterScoped resources
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton
rules:
- apiGroups:
- triggers.tekton.dev
resources:
- eventlisteners
- triggerbindings
- interceptors
- triggertemplates
- triggers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- pipelineresources
- taskruns
verbs:
- create
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton
subjects:
- kind: ServiceAccount
name: tekton
namespace: my-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton
- Create a Eventlistener that uses this service account
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: cron-events
spec:
serviceAccountName: tekton
triggers:
- name: cron-trig
interceptors: []
bindings:
- ref: mirror-repo
kind: TriggerBinding # Optional: Adding this did also not help
template:
ref: mirror-repo
namespaceSelector:
matchNames:
- my-namespace # Optional: Adding that did acutally add an argument in the pod - but it is still crashing
- See the event listener sink pod crashing
Additional Info
-
Kubernetes version: v1.31.2
Output of
kubectl version:Client Version: v1.31.1 Kustomize Version: v5.4.2 Server Version: v1.31.2 -
Tekton Pipeline version:
Client version: 0.38.1 Pipeline version: v0.65.2 Triggers version: v0.30.0
