DataONEorg / k8s-cluster

Documentation on the DataONE Kubernetes cluster
Apache License 2.0
2 stars 1 forks source link

Update `roles`: add permissions for modifying `poddisruptionbudgets` in the `policy` API Group #51

Open artntek opened 1 day ago

artntek commented 1 day ago

Update application-context.yaml to add permissions for modifying poddisruptionbudgets in the policy API Group, so it will apply to all new accounts.

Explanation

Default permissions for service account roles currently do not include sufficient access to poddisruptionbudgets in the policy API Group

This access is required in order to install, upgrade and delete some 3rd party helm charts; for example, the latest bitnami Postgresql chart installation currently fails, with:

Error: INSTALLATION FAILED: Unable to continue with install: could not get information
about the resource PodDisruptionBudget "vegbank2-postgresql" in namespace "vegbank":
poddisruptionbudgets.policy "vegbank2-postgresql" is forbidden: User
"system:serviceaccount:vegbank:vegbank" cannot get resource "poddisruptionbudgets" in
API group "policy" in the namespace "vegbank"

Workarounds include manually editing the role for the service account in question, or using the admin service account to install/upgrade/delete (bad practice).

GitHub DataONE K8s repo for reference

artntek commented 1 day ago

poddisruptionbudgets explanation:

https://kubernetes.io/docs/tasks/run-application/configure-pdb/