-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update docs for clusterroles packaged for eventlistener #1163
Conversation
This update docs to use clusterroles packaged with triggers instead of creating new roles for eventlistener. Signed-off-by: Shivam Mukhade <[email protected]>
- If you're using `namespaceSelectors` in your `EventListener`, a `ClusterRole` that permits read access to all `Trigger` objects on the cluster.ources across the cluster. | ||
|
||
Tekton Trigger creates 2 clusterroles while installing with necessary permissions required for an eventlistener. You can directly create bindings for your serviceaccount with the clusterroles. | ||
- A Kubernetes RoleBinding with `tekton-triggers-eventlistener-roles` clusterrole. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue with this is that it allows us for impersonation clusterwide.
@dibyom Is this OK? Earlier we were using role not clusterrole so it wasn't a issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are using a RoleBinding to use this ClusterRole, so the impersonation should still be gated to the namespace...right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed at WG today -- using a RoleBinding should be good enough!
@khrm let me know if you have any concerns!
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
This update docs to use clusterroles packaged with triggers instead
of creating new roles for eventlistener.
Signed-off-by: Shivam Mukhade [email protected]
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes