Update application-context.yaml to add permissions for modifying poddisruptionbudgets in the policy API Group, so it will apply to all new accounts.
Explanation
Default permissions for service account roles currently do not include sufficient access to poddisruptionbudgets in the policy API Group
This access is required in order to install, upgrade and delete some 3rd party helm charts; for example, the latest bitnami Postgresql chart installation currently fails, with:
Error: INSTALLATION FAILED: Unable to continue with install: could not get information
about the resource PodDisruptionBudget "vegbank2-postgresql" in namespace "vegbank":
poddisruptionbudgets.policy "vegbank2-postgresql" is forbidden: User
"system:serviceaccount:vegbank:vegbank" cannot get resource "poddisruptionbudgets" in
API group "policy" in the namespace "vegbank"
Workarounds include manually editing the role for the service account in question, or using the admin service account to install/upgrade/delete (bad practice).
Update application-context.yaml to add permissions for modifying
poddisruptionbudgets
in thepolicy
API Group, so it will apply to all new accounts.Explanation
Default permissions for service account roles currently do not include sufficient access to
poddisruptionbudgets
in thepolicy
API GroupThis access is required in order to install, upgrade and delete some 3rd party helm charts; for example, the latest bitnami Postgresql chart installation currently fails, with:
Workarounds include manually editing the role for the service account in question, or using the admin service account to install/upgrade/delete (bad practice).
GitHub DataONE K8s repo for reference