Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EventListener cannot see Triggers in other than deployment namespace #1700

Closed
wilstdu opened this issue Feb 23, 2024 · 2 comments · Fixed by #1725
Closed

EventListener cannot see Triggers in other than deployment namespace #1700

wilstdu opened this issue Feb 23, 2024 · 2 comments · Fixed by #1725
Assignees
@khrm
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
Triggers v0.27

Comments

@wilstdu
Copy link

wilstdu commented Feb 23, 2024

Expected Behavior

EventListener can see Triggers in other than deployment namespaces.

Actual Behavior

EventListener cannot see Triggers in other than deployment namespaces.

Steps to Reproduce the Problem

EventListener running in a "main" namespace. EvenListener oversees Triggers in multiple namespaces.
"feature" namespaces have RoleBindings that allow ServiceAccount in the "main" namespace to view resources in the "feature" namespace.

Send a request to the EventListener ingress with a payload that would only match the rule for the "feature" namespace Trigger.

Additional Info

With Triggers version 0.23.1 this still worked, but with any later version this no longer works and EventListener can only see Triggers where the EventListener is deployed. From Kubernetes permission perspective everything looks good and there were no other infrastructure changes than changing Tekton Triggers version.

Example triggers for illustration of how main and feature trigger selection is implemented:

apiVersion: triggers.tekton.dev/v1beta1
kind: Trigger
metadata:
  name: example-feature-branch
spec:
  interceptors:
  - ref:
      name: cel
    params:
    - name: filter
      value: >-
        body.branch=="feature"
  bindings:
  - name: example-variable
    value: example-value
  template:
    ref: example-reference

---
apiVersion: triggers.tekton.dev/v1beta1
kind: Trigger
metadata:
  name: example-main-branch
spec:
  interceptors:
  - ref:
      name: cel
    params:
    - name: filter
      value: >-
        body.branch=="main"
  bindings:
  - name: example-variable
    value: example-value
  template:
    ref: example-reference

---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: example-el
  namespace: example-main-namespace
spec:
  namespaceSelector: {}
  resources:
    kubernetesResource:
      replicas: 2
  serviceAccountName: el-service-account-name
  triggerGroups:
    - name: local-trigger-group
      triggerSelector:
        labelSelector:
          matchLabels: {} 
        namespaceSelector:
          matchNames:
            - '*'
  • Kubernetes version:
1.28
  • Tekton Pipeline version:
0.53.3
@wilstdu wilstdu added the kind/bug Categorizes issue or PR as related to a bug. label Feb 23, 2024
@realSchoki
Copy link

I think its linked to this: #1652

just add a dummy entry under .spec.namespaceSelector if you need a "hotfix". Fix is on roadmap for 0.27.0.

@khrm
Copy link
Contributor

khrm commented Apr 5, 2024

/assign @khrm

@khrm khrm added this to the Triggers v0.27 milestone Apr 5, 2024
@seternate seternate mentioned this issue May 2, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khrm khrm

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
Triggers v0.27
Development

Successfully merging a pull request may close this issue.

Fix is-multi-ns flag for triggerGroups
3 participants
@khrm @realSchoki @wilstdu