lulf
commented
7 years ago As OpenShift is moving to use RBAC, I think the longer term approach would be to use that rather than the OpenShift API. Short term, I think adding the note is a good start. If the fabric8 issue is fixed soon, we can upgrade to a release with a fix (and they seem to release quite often).
scholzj
It looks like the deployment for Kubernetes doesn't work with Kubernetes clusters with RBAC enabled. The deploy_kubernetes.sh script takes care of the service accounts but doesn't create the roles / role bindings.
Unfortunately it looks like that due to a issue with the Fabric8 Kubernetes client (fabric8io/kubernetes-client#850) the enmasse-service-account needs cluster-admin permissions on Kubernetes. This is not exactly secure (cluster-admin = unlimited permissions). I can create PR with this, but I'm not sure whether this is something what should be committed (given the security concerns).
Even without committing this, it would be good to at least add some note to the Getting Started guide. Right now it basically gets stuck with only address-controller deployed (but running) and it is not really obvious what the problem might be.
What is the preferred option? Updating the deployment script (even with less than ideal security)? Or adding only a note to the getting started guide to clarify RBAC issues?