-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Operators deployed using the generated k8s resources are forbidden to access the CRD #869
Comments
The issue is caused by a ClusterRole that is bonded using a RoleBinding instead of a ClusterRoleBinding. What is generated: ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kestra-flow-cluster-role
namespace: kestra
rules:
- apiGroups:
- model.kestra.io
resources:
- kestraflows
- kestraflows/status
- kestraflows/finalizers
verbs:
- get
- list
- watch
- patch
- update
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kestra-flow-crd-validating-role-binding
namespace: kestra
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: josdk-crd-validating-cluster-role
subjects:
- kind: ServiceAccount
name: kestra-orchestrator
namespace: kestra What should be generated: ```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kestra-flow-cluster-role
namespace: kestra
rules:
- apiGroups:
- model.kestra.io
resources:
- kestraflows
- kestraflows/status
- kestraflows/finalizers
verbs:
- get
- list
- watch
- patch
- update
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kestra-flow-crd-validating-role-binding
namespace: kestra
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: josdk-crd-validating-cluster-role
subjects:
- kind: ServiceAccount
name: kestra-orchestrator
namespace: kestra |
Hi @loicmathieu, I can't reproduce this. It seems that it will always generate Can you please confirm that you still can reproduce this error? |
I am seeing the same error, and have some more details around this that maybe helpful. The generated Role appears to be corect;
Where things go wrong is still in the role binding. The name of the role being bound to is incorrect;
Note, the roleRef.name value here is incorrect here. It seems to just be using the namespace, instead of the name of the ClusterRole being generated, which appears to be the name of the custom resource. As far as I can tell, the role |
Poking in the code, it looks like this line is the likely culprit. The method expects this to be the name of the controller, which aligns with the ClusterRole definition. However, it's getting passed the |
An improper name was generated in case a controller watched all namespaces. Fixes #869 Signed-off-by: Chris Laprun <[email protected]>
@nstuart-idexx thank you for the details, I've opened PR #959 to address the issue. |
An improper name was generated in case a controller watched all namespaces. Fixes #869 Signed-off-by: Chris Laprun <[email protected]>
An improper name was generated in case a controller watched all namespaces. Fixes #869 Signed-off-by: Chris Laprun <[email protected]>
Operators deployed using the generated k8s resources are forbidden to access the CRD.
Steps to reproduce:
Then the operator fail to start with:
The text was updated successfully, but these errors were encountered: