Skip to content

Commit

Permalink
Revert "dibyo's point about only EL sink/interceptors reading secrets"
Browse files Browse the repository at this point in the history
This reverts commit 8eb2067.

Turns out, the webhook does need access to create secrets since it uses it
to create `tekton-webhook-certs` if it does not exist.

Fixes #803
  • Loading branch information
dibyom authored and tekton-robot committed Oct 15, 2020
1 parent 6fbcf89 commit 397d151
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
10 changes: 10 additions & 0 deletions config/200-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,17 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# NOTE: when multi-tenant EventListener progresses, moving this Role
# to a ClusterRole is not the advisable path. Additional Roles that
# adds access to Secrets to the Namespaces managed by the multi-tenant
# EventListener is what should be done. While not as simple, it avoids
# giving access to K8S system level, cluster admin privileged level Secrets

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-triggers-admin
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
Expand All @@ -24,3 +31,6 @@ rules:
resources: ["podsecuritypolicies"]
resourceNames: ["tekton-triggers"]
verbs: ["use"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
1 change: 1 addition & 0 deletions config/201-rolebinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-triggers-controller-admin
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ rules:
verbs: ["get"]
- apiGroups: [""]
# secrets are only needed for Github/Gitlab interceptors
resources: ["configmaps"]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "watch"]
# Permissions to create resources in associated TriggerTemplates
- apiGroups: ["tekton.dev"]
Expand Down

0 comments on commit 397d151

Please sign in to comment.