bug: APIExport claim race conditions for events

[mjudeikis]

Describe the bug

Permissions are not taked into account early on the binding existance:

Steps To Reproduce

1. Setup https://github.com/kcp-dev/multicluster-provider/tree/main/examples/apiexport
2. Run controller (controller MUST run before workspaces exists)
3. Create bundle (as per example)

2026-01-27T08:49:52+02:00       INFO    Reconciling ConfigMap   {"controller": "kcp-configmap-controller", "controllerGroup": "", "controllerKind": "ConfigMap", "reconcileID": "0ae0f791-5a98-401b-86e0-cc68ba625bf3", "cluster": "eo3sm8jns42bcuxw", "name": "kube-root-ca.crt", "uuid": "0ef2d6b2-0fc7-491f-9489-ec4bdbed179d"}
E0127 08:49:52.736523   93187 event.go:359] "Server rejected event (will not retry!)" err="events is forbidden: User \"kcp-admin\" cannot create resource \"events\" in API group \"\" in the namespace \"kube-system\": access denied" event="&Event{ObjectMeta:{kube-root-ca.crt.188e83c6a142cb00  kube-system    0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},InvolvedObject:ObjectReference{Kind:ConfigMap,Namespace:kube-system,Name:kube-root-ca.crt,UID:0ef2d6b2-0fc7-491f-9489-ec4bdbed179d,APIVersion:v1,ResourceVersion:1684,FieldPath:,},Reason:ConfigMap Reconciled,Message:ConfigMap kube-root-ca.crt reconciled,Source:EventSource{Component:kcp-configmap-controller,Host:,},FirstTimestamp:2026-01-27 08:49:52.735456 +0200 EET m=+83.244498584,LastTimestamp:2026-01-27 08:49:52.735456 +0200 EET m=+83.244498584,Count:1,Type:Normal,EventTime:0001-01-01 00:00:00 +0000 UTC,Series:nil,Action:,Related:nil,ReportingController:kcp-configmap-controller,ReportingInstance:,}"

we get "Server rejected event (will not retry!)

While if you create CM in the existing workspace (example 3):

k create cm bar                                                                                                                           08:50:45
configmap/bar created
~/go/src/github.com/kcp-dev/multicluster-provider/examples/apiexport @1861afae* ❯ k get ev                                                                                                                                  08:50:51
Warning: short name "ev" could also match lower priority resource events.events.k8s.io
LAST SEEN   TYPE     REASON                 OBJECT                       MESSAGE
3s          Normal   ConfigMap Reconciled   configmap/bar                ConfigMap bar reconciled
32s         Normal   ConfigMap Reconciled   configmap/kube-root-ca.crt   ConfigMap kube-root-ca.crt reconciled

This means reconciler already gets events, while permissions are still being propagated and hence fails.

Expected Behaviour

We should at least try not admit the apibinding to VirtualWorkspace or to ready state while permission are not yet propagated. This might be harder than it sounds :/

Additional Context

No response

[mjudeikis]

This is only applicable for events and the event recorder. One can create ConfigMaps as soon as it gets into reconcilers after binding.