search

DataWorkz-NL / KubeETL

ETL controller for Kubernetes
Apache License 2.0
4 stars 0 forks source link

WorkflowReconciler Can't list secrets #61

Open Blokje5 opened 2 years ago

Blokje5 commented 2 years ago

We should make sure RBAC is set correctly (and update the quick-starts).

2022-06-02T10:25:06.469Z        INFO    controllers.Workflow    creating connection secret      {"workflow": "kubeetl/basic-workflow", "name": "basic-workflow-62617369632d776f726b666c6f77d41d8cd98f00b204e9800998ecf8427e", "namespace": "kubeetl"}
E0602 10:25:06.491348       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scope
E0602 10:25:07.845491       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scope
E0602 10:25:09.557008       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scope
E0602 10:25:13.265090       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scope
E0602 10:25:20.289834       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scope
E0602 10:25:36.911540       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kubeetl:default" cannot list resource "secrets" in API group "" at the cluster scop
ThijsKoot commented 2 years ago

Right so we probably don't want to create blanket secret permissions. We could move secret creation into the injection phase, that way our controller doesn't need any secret permissions at all. The service account running the Workflow would need the required RBAC. Thoughts? @Blokje5

Blokje5 commented 2 years ago

If we can keep the permissions for the controller as small as possible that would be preferred yes. It is then also easier to make this an optional feature for those who do not want to rely on the secret injection mechanism

ThijsKoot commented 2 years ago

I've got a PR almost ready for this, moving it out of controllers actually made more sense anyway.