-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wildcard verbs causes problems on OpenShift #1495
Comments
close as it looks stale |
Can this be re-opened? I think there is still an issue with the RBAC used by kotsadm. I was able to successfully install a kots application by patching the KotsadmRole to a dummy role and modifyin KotsadmRoleBinding function to use For instance:
Is there a reason why this isn't the approach taken when attempting to install in a namespace with minimal RBAC permissions? Thanks |
@calderonth currently the only workaround is to specify the |
OK I can try that but it doesn't answer why the wildcard verbs are used in the first place. For the namespace deployment using a ClusterRole mapped to admin was enough (on GKE). Is there other reasons I am missing? |
This is done because resources can be added to cluster dynamically, and there is no way to know them ahead of time. Kots also won't default to user's permissions because they can be insufficient (either now or in the future). So expectation is that the installation is performed by someone with sufficient permissions or Role/ClusterRole is tailored to the specific cluster's needs. |
Is there a known example where admin in a namespce would not be sufficient for kots to operate? |
Yes, examples are easy to create. There is one in your diff. This will prevent kotsadm from deploying an application for example.
|
I don't think that's quite right, I've purposedly made the |
Correct, it's not right. That's an example of what doesn't work. Any definition is not the right one. The list of permissions is dynamic. |
We try to install at kots app and receive always the same error.
The user have admin permissions on the namespace but not cluster-admin rights.
It looks to me that this part is the reason for this error.
kots/pkg/kotsadm/kotsadm_objects.go
Line 45 in 1307dd6
The return value of this command is no.
kubectl -n $namespace auth can-i '*' 'configmap'
But this is command returns yes.
kubectl -n $namespace auth can-i 'create' 'configmap'
How about to add dedicated permissions to the policy instead of "*"?
The text was updated successfully, but these errors were encountered: