This repository has been archived by the owner on Apr 4, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 31
RBAC roles and bindings installed by ./hack/prepare-e2e.sh masks errors and missing configuration in the helm RBAC template #110
Labels
Comments
I think we could probably move this into the chart: # Create a ClusterRole to work with ElasticsearchCluster resources
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: navigator:authenticated
# this rule defined on the role for specifically the
# namespace-lifecycle admission-controller
rules:
- apiGroups: ["navigator.jetstack.io"]
resources: ["elasticsearchclusters", "pilots"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: "navigator:authenticated"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: navigator:authenticated
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated
apiGroup: rbac.authorization.k8s.io but not the other bits. afaik kubectl is connecting as an authenticated user - I think the error message just masks what the actual username is or something. Otherwise more requests than just the ones we see failing would be failing (plus also, minikube configures kubectl to talk to the apiserver on port 8443, which is a secure port which requires auth) |
This was referenced Nov 9, 2017
jetstack-bot
added a commit
that referenced
this issue
Nov 9, 2017
Automatic merge from submit-queue. Update controller clusterrole to allow it to manage cassandraclusters * I also removed the `navigator:authenticated` clusterrole from prepare-e2e.sh because I don't understand why it's needed. * Navigator controller is authenticated via serviceAccount `nav-e2e-navigator-controller` * That service account is bound to ClusterRole `nav-e2e-navigator:controller` ``` kubectl get clusterrolebindings nav-e2e-navigator:controller -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: 2017-11-09T12:11:31Z name: nav-e2e-navigator:controller resourceVersion: "1699" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/nav-e2e-navigator%3Acontroller uid: 1f79fa4b-c547-11e7-8aa2-52540064a5b1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nav-e2e-navigator:controller subjects: - kind: ServiceAccount name: nav-e2e-navigator-controller namespace: default ``` * ClusterRole `nav-e2e-navigator:controller` allows all verbs on all Navigator resources. ``` kubectl get clusterrole nav-e2e-navigator:controller -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: 2017-11-09T12:11:31Z name: nav-e2e-navigator:controller resourceVersion: "1694" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/nav-e2e-navigator%3Acontroller uid: 1f7462a7-c547-11e7-8aa2-52540064a5b1 rules: - apiGroups: - navigator.jetstack.io resources: - elasticsearchclusters - pilots - cassandraclusters verbs: - get - list - watch - update - create - delete ... ``` Fixes: #110 **Release note**: ```release-note NONE ```
Closed by #122 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Can we remove any of that stuff from prepare-e2e.sh and move it into the chart?
And I think we need to figure out how to force kubectl to connect to the apiserver as an authenticated user.
/kind bug
The text was updated successfully, but these errors were encountered: