deletecollection kubernetes (tekton) resources - specific RBAC needed?
Given two namespaces my-namespace
and my-account
the default service account in the my-account
namespace is correctly granted permissions to the deletecollection
verb on pipelines
in my-namespace
.
You can verify this using kubectl auth can-i
like this after applying:
$ kubectl -n my-namespace --as="system:serviceaccount:my-account:default" auth can-i deletecollection pipelines.tekton.deyes
Verify that you have actually applied your RBAC manifests.
Change the RBAC as below
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: my-role namespace: my-namespacerules:- apiGroups: ["tekton.dev"] resources: ["pipelines", "pipelineruns", "tasks", "taskruns"] verbs: ["get", "watch", "list", "delete", "deletecollection"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: my-rolebinding namespace: my-namespacesubjects:- kind: ServiceAccount name: default namespace: my-accountroleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io
Few things to note:
- Fixed
subjects
to useServiceAccount
fromUser
. This is actually the cause of the failure because the service account was not granted the RBAC. - I assumed that you want to delete the Tekton resources in
my-namespace
by thedefault
service account ofmy-account
namespace . If it's different then changes inRole
andRoleBinding
need to be done accordingly.