Unable in trigger object to use a serviceaccount from an other namespace

[tizard34]

Expected Behavior

Specify a serviceaccount from an other namespace must be allowed in trigger object

Actual Behavior

If the serviceaccount used in the EventListener has not the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.errorString{s:\"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:default\\\" cannot impersonate resource \\\"users\\\" in API group \\\"\\\" at the cluster scope\"}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T12:50:15.363Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"couldn't find API resource for json: error getting kubernetes server resources for apiVersion tekton.dev/v1beta1: users \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" is forbidden: User \"system:serviceaccount:app-pipelines-namespace:default\" cannot impersonate resource \"users\" in API group \"\" at the cluster scope","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"614aca5f-a8c6-4149-b5cb-9ea815f8012e","/trigger":"trigger-build"}

If the serviceaccount used in the EventListener has the right to impersonate. The EventListener Pod write this logs :

{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:583","message":"problem creating obj: &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:\"Status\", APIVersion:\"v1\"}, ListMeta:v1.ListMeta{SelfLink:\"\", ResourceVersion:\"\", Continue:\"\", RemainingItemCount:(*int64)(nil)}, Status:\"Failure\", Message:\"pipelineruns.tekton.dev is forbidden: User \\\"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\\\" cannot create resource \\\"pipelineruns\\\" in API group \\\"tekton.dev\\\" in the namespace \\\"app-pipelines-namespace\\\"\", Reason:\"Forbidden\", Details:(*v1.StatusDetails)(0xc00081c120), Code:403}}","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}
{"severity":"error","timestamp":"2023-06-21T21:41:49.587Z","logger":"eventlistener","caller":"sink/sink.go:444","message":"pipelineruns.tekton.dev is forbidden: User \"system:serviceaccount:app-pipelines-namespace:system:serviceaccount:other-namespace:default\" cannot create resource \"pipelineruns\" in API group \"tekton.dev\" in the namespace \"app-pipelines-namespace\"","commit":"ebff8e2","eventlistener":"my-eventlistener","namespace":"app-pipelines-namespace","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","eventlistenerUID":"8e3947ae-0f8b-45ae-ab5a-c8ebec8ca21a","/triggers-eventid":"73b5333c-33b7-4eac-ab4a-07cea56d906f","/trigger":"trigger-build"}

It seems that the prefix "system:serviceaccount::" is always added to the trigger serviceaccount name.

Steps to Reproduce the Problem

1. Create a ClusterRole

   kind: ClusterRole
   apiVersion: authorization.openshift.io/v1
   metadata:
   name: sa-user-impersonator
   rules:
   - verbs:
     - impersonate
   attributeRestrictions: null
   apiGroups:
     - ''
   resources:
     - serviceaccounts
     - users

2. Create a ClusterRoleBinding to associate your EventListener serviceaccount to the sa-user-impersonator ClusterRole
3. Create an EventListener using a trigger with a different serviceaccount created in an other namespace (it must be allowed to create PipelineRuns)

   apiVersion: triggers.tekton.dev/v1alpha1
   kind: EventListener
   metadata:
   name: my-eventlistener
   namespace: app-pipelines-namespace
   spec:
   namespaceSelector: {}
   resources: {}
   serviceAccountName: default
   triggers:
   - bindings: ....
     interceptors: ...
     name: trigger-build
     serviceAccountName: 'system:serviceaccount:other-namespace:default'
     template: ....

4. Call the EventListener and see logs of associated pod

Additional Info

• Kubernetes version:

  Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-10-10T16:38:01Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.7+eab9cc9", GitCommit:"d53489b7cc6293d77f77f2588bc4d885c7485e89", GitTreeState:"clean", BuildDate:"2023-03-13T21:23:28Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}

• Tekton Pipeline version:

  Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

Client version: 0.31.0
Chains version: v0.15.0
Pipeline version: v0.44.2
Triggers version: v0.23.1
Operator version: v0.65.1

[tekton-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tizard34]

/remove-lifecycle stale : no answer from assignee

[savitaashture]

Hi @tizard34 Apologize for the late reply

can you provide me the full yaml for EL

apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: my-eventlistener
  namespace: app-pipelines-namespace
spec:
  namespaceSelector: {}
  resources: {}
  serviceAccountName: default
  triggers:
    - bindings: ....
      interceptors: ...
      name: trigger-build
      serviceAccountName: 'system:serviceaccount:other-namespace:default'
      template: ....

I mean bindings and interceptor details etc....

so that i can try to reproduce the issue