Remove cluster-wide namespace list/watch permissions

This permission was previously needed to support how we enforced timeouts, by listing all TaskRuns/PipelineRuns across all namespaces and determining whether they were past their timeout. Since tektoncd#3500 this check was changed to not require listing all namespaces, so I believe the permission is no longer necessary.
imjasonh · Apr 14, 2021 · 5d6d5ce · 5d6d5ce
1 parent 5dc24d2
commit 5d6d5ce
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -22,11 +22,8 @@ metadata:
     app.kubernetes.io/part-of: tekton-pipelines
 rules:
   - apiGroups: [""]
-    # Namespace access is required because the controller timeout handling logic
-    # iterates over all namespaces and times out any PipelineRuns that have expired.
-    # Pod access is required because the taskrun controller wants to be updated when
-    # a Pod underlying a TaskRun changes state.
-    resources: ["namespaces", "pods"]
+    # Controller needs to watch Pods created by TaskRuns to see them progress.
+    resources: ["pods"]
     verbs: ["list", "watch"]
     # Controller needs cluster access to all of the CRDs that it is responsible for
     # managing.