Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Necessary Access to roles and rolebindings in the rbac.authorization.k8s.io API Group #48

Open
artntek opened this issue Aug 20, 2024 · 2 comments
Open

Add Necessary Access to roles and rolebindings in the rbac.authorization.k8s.io API Group #48

artntek opened this issue Aug 20, 2024 · 2 comments
Assignees
@artntek

Comments

@artntek
Copy link
Contributor

artntek commented Aug 20, 2024
edited
Loading

Goal

Modify application-context.yaml to add necessary access (i.e. kubectl get, create, and delete) to roles and rolebindings in the rbac.authorization.k8s.io API Group, so it will apply to all new accounts.

Explanation

Default permissions for service account roles currently do not include sufficient access to roles and rolebindings in rbac.authorization.k8s.io.

This access is required in order to install, upgrade and delete some 3rd party helm charts; for example, the bitnami RabbitMQ chart installation currently fails, with:

  Error: INSTALLATION FAILED: Unable to continue with install: could not get information about the resource
  Role "metacatbrooke-rabbitmq-endpoint-reader" in namespace "brooke": roles.rbac.authorization.k8s.io
  "metacatbrooke-rabbitmq-endpoint-reader" is forbidden: User "system:serviceaccount:brooke:brooke"
  cannot get resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "brooke"

Workarounds include manually editing the role for the service account in question, or using the admin service account to install/upgrade/delete (bad practice).

Default permissions are here: application-context.yaml

GitHub DataONE K8s repo for reference
@artntek artntek self-assigned this Aug 20, 2024
@artntek artntek mentioned this issue Aug 20, 2024
Merged
@mbjones
Copy link
Member

mbjones commented Aug 21, 2024

Completed in PR #49 - closing. New service accounts will now have this permission, but existing SAs will need to be manually updated with the new permission.

@mbjones mbjones closed this as completed Aug 21, 2024
@artntek artntek reopened this Aug 27, 2024
@artntek
Copy link
Contributor Author

artntek commented Aug 27, 2024
edited
Loading

I was wrong - role also needs create and delete in order to work across the whole helm lifecycle for bitnami rabbitmq chart. description updated above

@artntek artntek changed the title Add Read-Only Access to roles and rolebindings in the rbac.authorization.k8s.io API Group Add Necessary Access to roles and rolebindings in the rbac.authorization.k8s.io API Group Aug 27, 2024
@artntek artntek mentioned this issue Aug 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artntek artntek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbjones @artntek