Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update docs for clusterroles packaged for eventlistener #1163

Merged
merged 1 commit into from
Jul 29, 2021
Merged

Update docs for clusterroles packaged for eventlistener #1163

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions docs/eventlisteners.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,14 @@ See our [Tekton Triggers examples](https://github.com/tektoncd/triggers/tree/mas
## Specifying the Kubernetes service account

You must specify a Kubernetes service account in the `serviceAccountName` field that the `EventListener` will use to instantiate Tekton objects.
This account must have the following assigned:
- A Kubernetes `Role` that permits the `get`, `list`, and `watch` verbs for each `Trigger` specified in the `EventListener`
- A Kubernetes `ClusterRole` that permits read access to `ClusterTriggerBindings` objects
- Permissions to create the Tekton resources specified in the associated `TriggerTemplate`, as shown in the following [example](../examples/rbac.yaml)
- If you're using `namespaceSelectors` in your `EventListener`, a `ClusterRole` that permits read access to all `Trigger` objects on the cluster.ources across the cluster.

Tekton Trigger creates 2 clusterroles while installing with necessary permissions required for an eventlistener. You can directly create bindings for your serviceaccount with the clusterroles.
- A Kubernetes RoleBinding with `tekton-triggers-eventlistener-roles` clusterrole.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue with this is that it allows us for impersonation clusterwide.
@dibyom Is this OK? Earlier we were using role not clusterrole so it wasn't a issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are using a RoleBinding to use this ClusterRole, so the impersonation should still be gated to the namespace...right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed at WG today -- using a RoleBinding should be good enough!
@khrm let me know if you have any concerns!

- A Kubernetes ClusterRoleBinding with `tekton-triggers-eventlistener-clusterroles` clusterrole.

You can checkout an example [here](../examples/rbac.yaml).
- If you're using `namespaceSelectors` in your `EventListener`, you will have to create an additional `ClusterRoleBinding `
with `tekton-triggers-eventlistener-roles` clusterrole.

## Specifying `Triggers`

Expand Down