tektontekton-pipelinestekton-trigger

User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" i


I have the below event listener, which holds the service account as gcp-service-account

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: bitbucket-listener
  namespace: fetebird-common
spec:
  serviceAccountName: gcp-service-account
  triggers:
    - name: bitbucket-triggers
      interceptors:
        - ref:
            name: "bitbucket"
          params:
            - name: secretRef
              value:
                secretName: git-ssh-key-secret
                secretKey: ssh-privatekey
            - name: eventTypes
              value:
                - repo:refs_changed
      bindings:
        - ref: bitbucket-trigger-binding
      template:
        ref: bitbucket-trigger-template

To allow access to the GCP kubernetes I have created the below RBAC

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: fetebird-common
  name: bitbucket-role
rules:
  # Permissions for every EventListener deployment to function
  - apiGroups: ["triggers.tekton.dev"]
    resources: ["eventlisteners", "triggerbindings", "triggertemplates"]
    verbs: ["*"]
  - apiGroups: [""]
    # secrets are only needed for Github/Gitlab interceptors, serviceaccounts only for per trigger authorization
    resources: ["configmaps", "secrets", "serviceaccounts"]
    verbs: ["*"]
  # Permissions to create resources in associated TriggerTemplates
  - apiGroups: ["tekton.dev"]
    resources: ["pipelineruns", "pipelineresources", "taskruns"]
    verbs: ["*"]

Role binding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bitbucket-role-binding
  namespace: fetebird-common
subjects:
  - kind: ServiceAccount
    name: gcp-service-account # "name" is case sensitive
    namespace: fetebird-common
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: bitbucket-role
  apiGroup: rbac.authorization.k8s.io

When I push something to the bitcket facing the below exception

W1001 10:00:17.426414       1 reflector.go:424] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "interceptors" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
E1001 10:00:17.426766       1 reflector.go:140] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "interceptors" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
W1001 10:00:17.480233       1 reflector.go:424] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" in the namespace "fetebird-common"
E1001 10:00:17.480559       1 reflector.go:140] k8s.io/client-go@v0.27.1/tools/cache/reflector.go:169: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:fetebird-common:gcp-service-account" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" in the namespace "fetebird-common"

[![enter image description here][1]][1]

This gcp-service-account is the service account from GOOGLE CLOUD


Solution

  • Tekton Triggers installs the ClusterRoles required by event listener service accounts. I would recommend using those for your service account gcp-service-account, by creating two bindings:

    You can also see more details in the official docs about this.