Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update docs for clusterroles packaged for eventlistener #1163

Merged
merged 1 commit into from
Jul 29, 2021

Conversation

sm43
Copy link
Member

@sm43 sm43 commented Jul 26, 2021

This update docs to use clusterroles packaged with triggers instead
of creating new roles for eventlistener.

Signed-off-by: Shivam Mukhade [email protected]

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes tests (if functionality changed/added)
  • Includes docs (if user facing)
  • Commit messages follow commit message best practices
  • Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

This update docs to use clusterroles packaged with triggers instead
of creating new roles for eventlistener.

Signed-off-by: Shivam Mukhade <[email protected]>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 26, 2021
@tekton-robot tekton-robot requested review from dlorenc and vtereso July 26, 2021 05:00
@tekton-robot tekton-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 26, 2021
@sm43
Copy link
Member Author

sm43 commented Jul 26, 2021

/cc @savitaashture @dibyom

- If you're using `namespaceSelectors` in your `EventListener`, a `ClusterRole` that permits read access to all `Trigger` objects on the cluster.ources across the cluster.

Tekton Trigger creates 2 clusterroles while installing with necessary permissions required for an eventlistener. You can directly create bindings for your serviceaccount with the clusterroles.
- A Kubernetes RoleBinding with `tekton-triggers-eventlistener-roles` clusterrole.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue with this is that it allows us for impersonation clusterwide.
@dibyom Is this OK? Earlier we were using role not clusterrole so it wasn't a issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are using a RoleBinding to use this ClusterRole, so the impersonation should still be gated to the namespace...right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed at WG today -- using a RoleBinding should be good enough!
@khrm let me know if you have any concerns!

@dibyom
Copy link
Member

dibyom commented Jul 28, 2021

/approve

@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 28, 2021
Copy link
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 29, 2021
@tekton-robot tekton-robot merged commit c0ccf0c into tektoncd:main Jul 29, 2021
@sm43 sm43 deleted the update-docs branch August 19, 2021 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants