Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add permissions to patch events #1722

Merged
merged 1 commit into from
Apr 7, 2022
Merged

fix: add permissions to patch events #1722

merged 1 commit into from
Apr 7, 2022

Conversation

hectorj2f
Copy link
Contributor

Signed-off-by: hectorj2f hectorf@vmware.com

Summary

When looking at the logs from the policy-webhook pod, I found errors while patching events such as:

E0407 15:32:56.528437       1 event.go:267] Server rejected event '&v1.Event{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"image-hectorj2f-policy.16e3a4a2d537e800", GenerateName:"", Namespace:"default", SelfLink:"", UID:"", ResourceVersion:"6750", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:<nil>, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ClusterName:"", ManagedFields:[]v1.ManagedFieldsEntry(nil)}, InvolvedObject:v1.ObjectReference{Kind:"ClusterImagePolicy", Namespace:"", Name:"image-hectorj2f-policy", UID:"0e2d2952-e524-44a9-8bfc-3641c559f863", APIVersion:"cosigned.sigstore.dev/v1alpha1", ResourceVersion:"13141", FieldPath:""}, Reason:"FinalizerUpdate", Message:"Updated \"image-hectorj2f-policy\" finalizers", Source:v1.EventSource{Component:"clusterimagepolicy-controller", Host:""}, FirstTimestamp:time.Date(2022, time.April, 7, 14, 48, 27, 0, time.Local), LastTimestamp:time.Date(2022, time.April, 7, 15, 32, 56, 522014000, time.Local), Count:3, Type:"Normal", EventTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), Series:(*v1.EventSeries)(nil), Action:"", Related:(*v1.ObjectReference)(nil), ReportingController:"", ReportingInstance:""}': 'events "image-hectorj2f-policy.16e3a4a2d537e800" is forbidden: User "system:serviceaccount:cosign-system:webhook" cannot patch resource "events" in API group "" in the namespace "default"' (will not retry!)

I added the permissions to patch events too, so we can see now events:

$kubectl get events -A

NAMESPACE      LAST SEEN   TYPE     REASON            OBJECT                                      MESSAGE
default        4m22s       Normal   FinalizerUpdate   clusterimagepolicy/image-hectorj2f-policy   Updated "image-hectorj2f-policy" finalizers

Ticket Link

Fixes

Release Note

fix: add permissions to patch events
8cb8a7d 
Signed-off-by: hectorj2f <hectorf@vmware.com>
@hectorj2f hectorj2f added the bug Something isn't working label Apr 7, 2022
@hectorj2f hectorj2f requested a review from cpanato April 7, 2022 16:10
@hectorj2f hectorj2f self-assigned this Apr 7, 2022
@cpanato cpanato requested a review from vaikas April 7, 2022 16:14
@dlorenc dlorenc merged commit 43f427b into sigstore:main Apr 7, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 7, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@mlieberman85
fix: add permissions to patch events (sigstore#1722)
a797fae 
Signed-off-by: hectorj2f <hectorf@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

@vaikas vaikas vaikas approved these changes

Assignees

@hectorj2f hectorj2f

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.7.2
Development

Successfully merging this pull request may close these issues.
4 participants
@hectorj2f @cpanato @vaikas @dlorenc