From 5d6d5ceda5c42b68cf41e2ed83b7bc109fffd5f1 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Wed, 14 Apr 2021 09:31:17 -0400 Subject: [PATCH] Remove cluster-wide namespace list/watch permissions This permission was previously needed to support how we enforced timeouts, by listing all TaskRuns/PipelineRuns across all namespaces and determining whether they were past their timeout. Since https://github.com/tektoncd/pipeline/pull/3500/ this check was changed to not require listing all namespaces, so I believe the permission is no longer necessary. --- config/200-clusterrole.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml index 658be4cdf92..3305e8073d6 100644 --- a/config/200-clusterrole.yaml +++ b/config/200-clusterrole.yaml @@ -22,11 +22,8 @@ metadata: app.kubernetes.io/part-of: tekton-pipelines rules: - apiGroups: [""] - # Namespace access is required because the controller timeout handling logic - # iterates over all namespaces and times out any PipelineRuns that have expired. - # Pod access is required because the taskrun controller wants to be updated when - # a Pod underlying a TaskRun changes state. - resources: ["namespaces", "pods"] + # Controller needs to watch Pods created by TaskRuns to see them progress. + resources: ["pods"] verbs: ["list", "watch"] # Controller needs cluster access to all of the CRDs that it is responsible for # managing.