I have the below event listener, which holds the service account as gcp-service-account
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: bitbucket-listener
namespace: fetebird-common
spec:
serviceAccountName: gcp-service-account
triggers:
- name: bitbucket-triggers
interceptors:
- ref:
name: "bitbucket"
params:
- name: secretRef
value:
secretName: git-ssh-key-secret
secretKey: ssh-privatekey
- name: eventTypes
value:
- repo:refs_changed
bindings:
- ref: bitbucket-trigger-binding
template:
ref: bitbucket-trigger-template
To allow access to the GCP kubernetes I have created the below RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: fetebird-common
name: bitbucket-role
rules:
# Permissions for every EventListener deployment to function
- apiGroups: ["triggers.tekton.dev"]
resources: ["eventlisteners", "triggerbindings", "triggertemplates"]
verbs: ["*"]
- apiGroups: [""]
# secrets are only needed for Github/Gitlab interceptors, serviceaccounts only for per trigger authorization
resources: ["configmaps", "secrets", "serviceaccounts"]
verbs: ["*"]
# Permissions to create resources in associated TriggerTemplates
- apiGroups: ["tekton.dev"]
resources: ["pipelineruns", "pipelineresources", "taskruns"]
verbs: ["*"]
Role binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bitbucket-role-binding
namespace: fetebird-common
subjects:
- kind: ServiceAccount
name: gcp-service-account # "name" is case sensitive
namespace: fetebird-common
roleRef:
kind: Role #this must be Role or ClusterRole
name: bitbucket-role
apiGroup: rbac.authorization.k8s.io
When I push something to the bitcket facing the below exception
W1001 10:00:17.426414 1 reflector.go:424] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "interceptors" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
E1001 10:00:17.426766 1 reflector.go:140] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "interceptors" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
W1001 10:00:17.480233 1 reflector.go:424] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
E1001 10:00:17.480559 1 reflector.go:140] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
[![enter image description here][1]][1]
This gcp-service-account
is the service account from GOOGLE CLOUD
Tekton Triggers installs the ClusterRoles
required by event listener service accounts. I would recommend using those for your service account gcp-service-account
, by creating two bindings:
A Kubernetes RoleBinding
with tekton-triggers-eventlistener-roles clusterrole
.
A Kubernetes ClusterRoleBinding
with tekton-triggers-eventlistener-clusterroles clusterrole
.
You can also see more details in the official docs about this.