search

actions / actions-runner-controller

Kubernetes controller for GitHub Actions self-hosted runners
Apache License 2.0
4.4k stars 1.04k forks source link

Add list verb over secrets for the controller, required when deleting ephemeralrunners #3514

Open gcaracuel opened 1 month ago

gcaracuel commented 1 month ago

Controller requires list permission over secrets in the watched namespace when deleting ephemeralrunner resources. When not granted ephemeralrunner resources cannot be deleted by the controller printing next error:

2024-05-09T09:54:33Z    ERROR    Reconciler error    {"controller": "ephemeral-runner-controller", "controllerGroup": "actions.github.com", "controllerKind": "EphemeralRunner", "EphemeralRunner": {"name":"<POD_NAME>","namespace":"<NAMESPACE_NAME>"}, "namespace": "<NAMESPACE_NAME>", "name": "<POD_NAME>", "reconcileID": "44cd28a5-ecd0-4334-9c9c-4decde0a39d8", "error": "failed to list runner-linked secrets: secrets is forbidden: User \"system:serviceaccount:<NAMESPACE_NAME>:arc-gha-rs-controller\" cannot list resource \"secrets\" in API group \"\" in the namespace \"<NAMESPACE_NAME>\""}
gcaracuel commented 2 weeks ago

Do I need something else to get a review in here?