search

FairwindsOps / rbac-manager

A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.
https://fairwinds.com
Apache License 2.0
1.44k stars 117 forks source link

rbac-manager recreates service accounts when upgrading from 1.6.5 -> 1.8.0 #451

Closed wiegandf closed 1 month ago

wiegandf commented 6 months ago

What happened?

Service accounts are recreated. 

time="2024-02-01T11:29:53Z" level=info msg=----------------------------------
time="2024-02-01T11:29:53Z" level=info msg="rbac-manager 1.8.0 running"
time="2024-02-01T11:29:53Z" level=info msg=----------------------------------
time="2024-02-01T11:29:53Z" level=info msg="Registering components"
time="2024-02-01T11:29:53Z" level=info msg="Watching resources related to RBAC Definitions"
time="2024-02-01T11:29:53Z" level=info msg="Watching RBAC Definitions"
time="2024-02-01T11:29:53Z" level=info msg="Reconciling RBACDefinition cds-rules"
time="2024-02-01T11:29:54Z" level=info msg="Deleting Service Account velero"
time="2024-02-01T11:29:54Z" level=info msg="Creating Service Account: velero"

What did you expect to happen?

Just reconciling without any changes.

How can we reproduce this?

Install rbac-manager in version 1.6.5 and create a service account with it. It will create a service account that looks similar to 

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2024-02-01T12:20:18Z"
  labels:
    rbac-manager: reactiveops
  name: velero
  namespace: xxx
  ownerReferences:
  - apiVersion: rbacmanager.reactiveops.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: RBACDefinition
    name: cds-rules
    uid: 4708dc24-838a-4eea-8da5-1ba5e871549c
  resourceVersion: "474833513"
  uid: 6634fc1d-e2aa-483e-9035-03e58d90b4db

Then, update rbac-manager to 1.8.0. You will see that the service account is recreated. The new yaml looks exactly the same except of the newly added annotation:

  annotations:
    rbacmanager.reactiveops.io/managed-pull-secrets: ""

Version

1.8.0

Search

Code of Conduct

Additional context

As a workaround we can add the annotation to the service accounts before we upgrade rbac-manager. That way, the service accounts are not recreated. Although this should be handled by rbac-manager.

avthart commented 4 months ago

We also encountered this issue with rbac-manager 1.7.0

time="2024-03-14T05:09:12Z" level=info msg=----------------------------------
time="2024-03-14T05:09:12Z" level=info msg="rbac-manager 1.7.0 running"
time="2024-03-14T05:09:12Z" level=info msg=----------------------------------
time="2024-03-14T05:09:12Z" level=info msg="Registering components"
time="2024-03-14T05:09:12Z" level=info msg="Watching resources related to RBAC Definitions"
time="2024-03-14T05:09:12Z" level=info msg="Watching RBAC Definitions"
time="2024-03-14T05:09:12Z" level=info msg="Reconciling RBACDefinition live-check"
time="2024-03-14T05:09:12Z" level=info msg="Deleting Service Account live-check"
time="2024-03-14T05:09:12Z" level=info msg="Creating Service Account: live-check"

Corresponding service-account-token secrets will also be recreated because the serviceaccount is recreated.

albertschwarzkopf commented 4 months ago

Same issue here

artarik commented 3 months ago

same issue here

time="2024-04-12T11:55:17Z" level=info msg="Creating Service Account: redis-operator"
time="2024-04-12T11:55:17Z" level=error msg="Error creating Service Account: serviceaccounts \"redis-operator\" already exists"