Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable in trigger object to use a serviceaccount from an other namespace #1610

Open
tizard34 opened this issue Jun 21, 2023 · 3 comments
Open

Unable in trigger object to use a serviceaccount from an other namespace #1610

tizard34 opened this issue Jun 21, 2023 · 3 comments
Assignees
@savitaashture
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@tizard34
Copy link

Expected Behavior

Specify a serviceaccount from an other namespace must be allowed in trigger object

Actual Behavior

If the serviceaccount used in the EventListener has not the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.errorString{s:\"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:default\\\" cannot impersonate resource \\\"users\\\" in API group \\\"\\\" at the cluster scope\"}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" is forbidden: User \"system:serviceaccount:app-pipelines-namespace:default\" cannot impersonate resource \"users\" in API group \"\" at the cluster scope","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}

If the serviceaccount used in the EventListener has the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:\"Status\", APIVersion:\"v1\"}, ListMeta:v1.ListMeta{SelfLink:\"\", ResourceVersion:\"\", Continue:\"\", RemainingItemCount:(*int64)(nil)}, Status:\"Failure\", Message:\"pipelineruns.tekton.dev is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" cannot create resource \\\"pipelineruns\\\" in API group \\\"tekton.dev\\\" in the namespace \\\"app-pipelines-namespace\\\"\", Reason:\"Forbidden\", Details:(*v1.StatusDetails)(0xc00081c120), Code:403}}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"pipelineruns.tekton.dev is forbidden: User \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" cannot create resource \"pipelineruns\" in API group \"tekton.dev\" in the namespace \"app-pipelines-namespace\"","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}

It seems that the prefix "system:serviceaccount:<CURRENT_NAMESPACE>:" is always added to the trigger serviceaccount name.

Steps to Reproduce the Problem

  1. Create a ClusterRole
kind: ClusterRole
apiVersion: authorization.openshift.io/v1
metadata:
  name: sa-user-impersonator
rules:
  - verbs:
      - impersonate
    attributeRestrictions: null
    apiGroups:
      - ''
    resources:
      - serviceaccounts
      - users
  1. Create a ClusterRoleBinding to associate your EventListener serviceaccount to the sa-user-impersonator ClusterRole
  2. Create an EventListener using a trigger with a different serviceaccount created in an other namespace (it must be allowed to create PipelineRuns)
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: my-eventlistener
  namespace: app-pipelines-namespace
spec:
  namespaceSelector: {}
  resources: {}
  serviceAccountName: default
  triggers:
    - bindings: ....
      interceptors: ...
      name: trigger-build
      serviceAccountName: 'system:serviceaccount:other-namespace:default'
      template: ....
  1. Call the EventListener and see logs of associated pod

Additional Info

  • Kubernetes version:

    Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-10-10T16:38:01Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.7+eab9cc9", GitCommit:"d53489b7cc6293d77f77f2588bc4d885c7485e89", GitTreeState:"clean", BuildDate:"2023-03-13T21:23:28Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}

  • Tekton Pipeline version:

    Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

Client version: 0.31.0
Chains version: v0.15.0
Pipeline version: v0.44.2
Triggers version: v0.23.1
Operator version: v0.65.1
@tizard34 tizard34 added the kind/bug Categorizes issue or PR as related to a bug. label Jun 21, 2023
@tizard34 tizard34 changed the title Impossible in trigger object to use a serviceaccount from an other namespace Unable in trigger object to use a serviceaccount from an other namespace Jun 21, 2023
@savitaashture savitaashture self-assigned this Jul 12, 2023
@tekton-robot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 10, 2023
@tizard34
Copy link
Author

/remove-lifecycle stale : no answer from assignee

@savitaashture
Copy link
Contributor

Hi @tizard34
Apologize for the late reply

can you provide me the full yaml for EL

apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: my-eventlistener
  namespace: app-pipelines-namespace
spec:
  namespaceSelector: {}
  resources: {}
  serviceAccountName: default
  triggers:
    - bindings: ....
      interceptors: ...
      name: trigger-build
      serviceAccountName: 'system:serviceaccount:other-namespace:default'
      template: ....

I mean bindings and interceptor details etc....

so that i can try to reproduce the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@savitaashture savitaashture

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@savitaashture @tekton-robot @tizard34