tektoncd / triggers

Event triggering with Tekton!
Apache License 2.0
557 stars 419 forks source link

Unable in trigger object to use a serviceaccount from an other namespace #1610

Open tizard34 opened 1 year ago

tizard34 commented 1 year ago

Expected Behavior

Specify a serviceaccount from an other namespace must be allowed in trigger object

Actual Behavior

If the serviceaccount used in the EventListener has not the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.errorString{s:\"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:default\\\" cannot impersonate resource \\\"users\\\" in API group \\\"\\\" at the cluster scope\"}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" is forbidden: User \"system:serviceaccount:app-pipelines-namespace:default\" cannot impersonate resource \"users\" in API group \"\" at the cluster scope","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}

If the serviceaccount used in the EventListener has the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:\"Status\", APIVersion:\"v1\"}, ListMeta:v1.ListMeta{SelfLink:\"\", ResourceVersion:\"\", Continue:\"\", RemainingItemCount:(*int64)(nil)}, Status:\"Failure\", Message:\"pipelineruns.tekton.dev is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" cannot create resource \\\"pipelineruns\\\" in API group \\\"tekton.dev\\\" in the namespace \\\"app-pipelines-namespace\\\"\", Reason:\"Forbidden\", Details:(*v1.StatusDetails)(0xc00081c120), Code:403}}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"pipelineruns.tekton.dev is forbidden: User \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" cannot create resource \"pipelineruns\" in API group \"tekton.dev\" in the namespace \"app-pipelines-namespace\"","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}

It seems that the prefix "system:serviceaccount::" is always added to the trigger serviceaccount name.

Steps to Reproduce the Problem

  1. Create a ClusterRole
    kind: ClusterRole
    apiVersion: authorization.openshift.io/v1
    metadata:
    name: sa-user-impersonator
    rules:
    - verbs:
      - impersonate
    attributeRestrictions: null
    apiGroups:
      - ''
    resources:
      - serviceaccounts
      - users
  2. Create a ClusterRoleBinding to associate your EventListener serviceaccount to the sa-user-impersonator ClusterRole
  3. Create an EventListener using a trigger with a different serviceaccount created in an other namespace (it must be allowed to create PipelineRuns)
    apiVersion: triggers.tekton.dev/v1alpha1
    kind: EventListener
    metadata:
    name: my-eventlistener
    namespace: app-pipelines-namespace
    spec:
    namespaceSelector: {}
    resources: {}
    serviceAccountName: default
    triggers:
    - bindings: ....
      interceptors: ...
      name: trigger-build
      serviceAccountName: 'system:serviceaccount:other-namespace:default'
      template: ....
  4. Call the EventListener and see logs of associated pod

Additional Info

Client Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-10-10T16:38:01Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.7+eab9cc9", GitCommit:"d53489b7cc6293d77f77f2588bc4d885c7485e89", GitTreeState:"clean", BuildDate:"2023-03-13T21:23:28Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Client version: 0.31.0
Chains version: v0.15.0
Pipeline version: v0.44.2
Triggers version: v0.23.1
Operator version: v0.65.1
tekton-robot commented 1 year ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tizard34 commented 1 year ago

/remove-lifecycle stale : no answer from assignee

savitaashture commented 1 year ago

Hi @tizard34 Apologize for the late reply

can you provide me the full yaml for EL

apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: my-eventlistener
  namespace: app-pipelines-namespace
spec:
  namespaceSelector: {}
  resources: {}
  serviceAccountName: default
  triggers:
    - bindings: ....
      interceptors: ...
      name: trigger-build
      serviceAccountName: 'system:serviceaccount:other-namespace:default'
      template: ....

I mean bindings and interceptor details etc....

so that i can try to reproduce the issue