Skip to content

EventListener Sink Pod crash loops if it does not get access to cluster scoped resources #1780

New issue
New issue
Open
Open
EventListener Sink Pod crash loops if it does not get access to cluster scoped resources#1780
Labels
kind/bugCategorizes issue or PR as related to a bug.
@hochbit

Description

@hochbit
hochbit
opened on Nov 27, 2024

Expected Behavior

Event listener sink pod starts with a service account which is not allowed to access cluster scope resources and the event listener runs and I can use it within my namespace by for example an cronjob and the pod does not bother about cluster scoped resources if I do not use any.

Actual Behavior

Pod crashes with following errors:

W1127 07:05:21.463490       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475191       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476850       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476882       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.475299       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476940       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476936       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.476986       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.476982       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477011       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477602       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:21.477641       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477656       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:21.477660       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.297952       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.298001       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.395103       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.395149       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.411167       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.411192       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.739110       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.739163       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.840273       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.840317       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.865625       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.865664       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:22.901476       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:22.901514       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:23.990100       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:23.990141       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.194274       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.194324       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.543095       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.543150       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.594044       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.594092       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:24.635383       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:24.635416       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:25.847764       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:25.847865       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:26.015209       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:26.015251       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.000300       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.000363       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.384131       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.384166       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:28.606654       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:28.606691       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.309260       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.309316       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:29.894386       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:29.894439       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:30.555874       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:30.555915       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:31.816391       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:31.816461       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.264871       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.264908       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.Trigger: failed to list *v1beta1.Trigger: triggers.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggers" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:36.274666       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:36.274687       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.EventListener: failed to list *v1beta1.EventListener: eventlisteners.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "eventlisteners" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:37.840359       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:37.840426       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:38.915801       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:38.915847       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerBinding: failed to list *v1beta1.TriggerBinding: triggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggerbindings" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:40.829727       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:40.829765       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Interceptor: failed to list *v1alpha1.Interceptor: interceptors.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "interceptors" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.031913       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.031965       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.TriggerTemplate: failed to list *v1beta1.TriggerTemplate: triggertemplates.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "triggertemplates" in API group "triggers.tekton.dev" at the cluster scope
W1127 07:05:42.468118       1 reflector.go:539] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E1127 07:05:42.468148       1 reflector.go:147] k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1beta1.ClusterTriggerBinding: failed to list *v1beta1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: User "system:serviceaccount:my-namespace:tekton" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
2024/11/27 07:05:51 failed to start informers:failed to wait for cache at index 0 to sync
Stream closed EOF for my-namespace/el-cron-events-674b8d479b-8wzmp (event-listener)

Steps to Reproduce the Problem

  1. Create a ServiceAccount, Role, RoleBinding for all resources normally supplied to the Eventlistener except ClusterScoped resources
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton
rules:
- apiGroups:
  - triggers.tekton.dev
  resources:
  - eventlisteners
  - triggerbindings
  - interceptors
  - triggertemplates
  - triggers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - tekton.dev
  resources:
  - pipelineruns
  - pipelineresources
  - taskruns
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton
subjects:
- kind: ServiceAccount
  name: tekton
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton
  1. Create a Eventlistener that uses this service account
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: cron-events
spec:
  serviceAccountName: tekton
  triggers:
    - name: cron-trig
      interceptors: []
      bindings:
      - ref: mirror-repo
        kind: TriggerBinding # Optional: Adding this did also not help
      template:
        ref: mirror-repo
  namespaceSelector:
    matchNames:
    - my-namespace  # Optional: Adding that did acutally add an argument in the pod - but it is still crashing
  1. See the event listener sink pod crashing

Additional Info

  • Kubernetes version: v1.31.2

    Output of kubectl version:

    Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.31.2

  • Tekton Pipeline version:

Client version: 0.38.1
Pipeline version: v0.65.2
Triggers version: v0.30.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions