BUG: "system:serviceaccount:openunison:openunison-orchestra" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster

[droslean]

Caused by: java.io.IOException: Unexpected result calling 'https://10.245.0.1:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions/targets.openunison.tremolo.io' - 403 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"customresourcedefinitions.apiextensions.k8s.io \"targets.openunison.tremolo.io\" is forbidden: User \"system:serviceaccount:openunison:openunison-orchestra\" cannot get resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"name":"targets.openunison.tremolo.io","group":"apiextensions.k8s.io","kind":"customresourcedefinitions"},"code":403}

Why?

[droslean]

The solution is to create a cluster role that allows to get customresourcedefinitions and bind it to the orchestra service account.

The question remains, why does Openunison need this kind of permission?

[mlbiam]

How did you deploy openunison? Using the helm charts manually or using the ouctl command? Also, what is the output of helm list -n openunison?

[droslean]

Everything worked fine, but when I upgrade my cluster the openunison crashed because of this. When I first installed openusinon I used helm.

[mlbiam]

Thanks @droslean, this is a known issue. run:

helm repo update
helm upgrade tremolo/openunison-operator -n openunison -f /path/to/values.yaml
helm upgrade tremolo/orchestra -n openunison -f /path/to/values.yaml
helm upgrade tremolo/orchestra-login-portal -n openunison -f /path/to/values.yaml

that will update your manifests and include the missing ClusterRoleBinding and ClusterRole. You can also download the ouctl command:

helm repo update
./ouctl install-auth-portal /path/to/values.yaml

instead of running helm manually