Event Listener failed to list ClusterTriggerBinding/ClusterInterceptors

[rannox]

Expected Behavior

Event Listeners works without generating error logs about the missing permissions to list ClusterTriggerBindings and ClusterInterceptors.

Actual Behavior

Not installing the ClusterRoleBInding from https://github.com/tektoncd/triggers/blob/main/examples/rbac.yaml is causing the logs of the Event Listener to be filled with the following error message:

E0421 05:28:53.084714       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "syst
em:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0421 05:28:53.084806       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: U
ser "system:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0421 05:28:54.237533       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: U
ser "system:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0421 05:28:54.638558       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "syst
em:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope
E0421 05:28:56.089374       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterTriggerBinding: failed to list *v1alpha1.ClusterTriggerBinding: clustertriggerbindings.triggers.tekton.dev is forbidden: U
ser "system:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clustertriggerbindings" in API group "triggers.tekton.dev" at the cluster scope
E0421 05:28:56.395082       1 reflector.go:127] runtime/asm_amd64.s:1374: Failed to watch *v1alpha1.ClusterInterceptor: failed to list *v1alpha1.ClusterInterceptor: clusterinterceptors.triggers.tekton.dev is forbidden: User "syst
em:serviceaccount:pipeline-namespace:tekton-triggers-example-sa" cannot list resource "clusterinterceptors" in API group "triggers.tekton.dev" at the cluster scope

The developers at our project dont have the permissions to create ClusterRoleBindings (Cluster Admin required). In earlier versions of the Tekton Triggers they installed a separate event listener pro namespace. Now doing so creates the described error in the logs of the event listener.

Version of Tekton Pipelines: 0.23.0 Version of Tekton Triggers: 0.13.0

[rannox]

I just read the https://github.com/tektoncd/community/blob/main/teps/0009-trigger-crd.md. According to the new design of the Tekton Triggers, only Cluster Operators should be able to create Event Listeners, which totally makes sense and thus the ClusterRoleBinding :)

[dibyom]

Sorry for the delay in responding. Yes, the idea is the cluster operators create EventListeners. And users can create the Trigger types. The EventListeners can then select all triggers in a namespace using the namespaceSelector or a subset using labelSelector.