0

I am trying to delete tekton kubernetes resources in the context of a service account with an on-cluster kubernetes config, and am experiencing errors specific to accessing deletecollection with all tekton resources. An example error is as follows:

pipelines.tekton.dev is forbidden: User "system:serviceaccount:my-account:default" cannot deletecollection resource "pipelines" in API group "tekton.dev" in the namespace "my-namespace"

I have tried to apply RBAC to help here, but continue to experience the same errors. My RBAC attempt is as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role
  namespace: my-namespace
rules:
- apiGroups: ["tekton.dev"]
  resources: ["pipelines", "pipelineruns", "tasks", "taskruns"]
  verbs: ["get", "watch", "list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-role-binding
  namespace: my-namespace
subjects:
- kind: User
  name: system:serviceaccount:my-account:default
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: my-role
  apiGroup: rbac.authorization.k8s.io

These RBAC configurations continue to result in the same error. Is this, or similar necessary? Are there any examples of RBAC when interfacing with, specifically deleting, tekton resources?

scniro
  • 16,844
  • 8
  • 62
  • 106

2 Answers2

3

Given two namespaces my-namespace and my-account the default service account in the my-account namespace is correctly granted permissions to the deletecollection verb on pipelines in my-namespace.

You can verify this using kubectl auth can-i like this after applying:

$ kubectl -n my-namespace --as="system:serviceaccount:my-account:default" auth can-i deletecollection pipelines.tekton.de
yes

Verify that you have actually applied your RBAC manifests.

pst
  • 1,414
  • 11
  • 22
-1

Change the RBAC as below

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: my-role
  namespace: my-namespace
rules:
- apiGroups: ["tekton.dev"]
  resources: ["pipelines", "pipelineruns", "tasks", "taskruns"]
  verbs: ["get", "watch", "list", "delete", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-rolebinding
  namespace: my-namespace
subjects:
- kind: ServiceAccount
  name: default
  namespace: my-account
roleRef:
  kind: Role
  name: my-role
  apiGroup: rbac.authorization.k8s.io

Few things to note:

  1. Fixed subjects to use ServiceAccount from User. This is actually the cause of the failure because the service account was not granted the RBAC.
  2. I assumed that you want to delete the Tekton resources in my-namespace by the default service account of my-account namespace . If it's different then changes in Role and RoleBinding need to be done accordingly.
Arghya Sadhu
  • 41,002
  • 9
  • 78
  • 107
  • This is the wrong approach. Your changes grant the default service account in the `my-account` namespace cluster-wide permissions. It is irrelevant if you use a Role or a ClusterRole. But to grant cross-namespace permissions simply use a RoleBinding in the target namespace, that refers to a subject in another namespace. Also, deletecollection is a valid verb. – pst Jul 28 '20 at 14:43