eventing icon indicating copy to clipboard operation
eventing copied to clipboard
verified publisher icon knative

ApiServerSource does individual SubjectAccessReview requests when all namespaces are selected

Open rh-hemartin opened this issue 7 months ago • 2 comments

Describe the bug

When an empty selector is used on an ApiServerSource to match all namespaces, it checks permissions with SubjectAccessReview for all namespaces individually.

Expected behavior

The ApiServerSource does a single SubjectAccessReview with the namespace set to an empty string, which makes Kubernetes check for all the cluster at once. See resourceAttributes.namespace on the authorization reference.

To Reproduce

See https://gist.github.com/rh-hemartin/1492d8985515ed77ff2c574afd35d471

Knative release version

v1.18.2

Additional context

None

rh-hemartin avatar Jul 02 '25 12:07 rh-hemartin

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Oct 01 '25 01:10 github-actions[bot]

/remove-lifecycle stale

creydr avatar Oct 01 '25 06:10 creydr