Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm/rbac: split crd create permissions #201

Merged
merged 1 commit into from
Jun 29, 2022
Merged

helm/rbac: split crd create permissions #201

merged 1 commit into from
Jun 29, 2022

Conversation

willfindlay
Copy link
Contributor

According to the k8s RBAC documentation:

Note: You cannot restrict create or deletecollection requests by their resource name.
For create, this limitation is because the name of the new object may not be known at
authorization time.

This was causing our operator to fail because it the "create" verb was restricted in the
resource name which was not known ahead of time. To fix this, we need to split out the
"create" permission such that it is not restricted by resourceNames. We can keep the other
CRD permissions as-is.

Logs from operator before this change:

level=fatal msg="Unable to register CRDs" error="Unable to create custom resource
definition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User
\"system:serviceaccount:kube-system:tetragon\" cannot create resource
\"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster
scope" subsys=tetragon-operator

Signed-off-by: William Findlay [email protected]

@willfindlay
helm/rbac: split crd create permissions
0bda7a2 
According to the k8s RBAC documentation:

    Note: You cannot restrict create or deletecollection requests by their resource name.
    For create, this limitation is because the name of the new object may not be known at
    authorization time.

This was causing our operator to fail because it the "create" verb was restricted in the
resource name which was not known ahead of time. To fix this, we need to split out the
"create" permission such that it is not restricted by resourceNames. We can keep the other
CRD permissions as-is.

Logs from operator before this change:

    level=fatal msg="Unable to register CRDs" error="Unable to create custom resource
    definition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User
    \"system:serviceaccount:kube-system:tetragon\" cannot create resource
    \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster
    scope" subsys=tetragon-operator

Signed-off-by: William Findlay <[email protected]>
@willfindlay willfindlay requested a review from sharlns June 28, 2022 19:01
@willfindlay willfindlay requested a review from a team as a code owner June 28, 2022 19:01
@kkourt kkourt merged commit 8731771 into main Jun 29, 2022
@kkourt kkourt deleted the pr/willfindlay/fix-helm branch June 29, 2022 05:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michi-covalent michi-covalent michi-covalent approved these changes

@kkourt kkourt kkourt approved these changes

@sharlns sharlns Awaiting requested review from sharlns

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@willfindlay @kkourt @michi-covalent