cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
243 stars 65 forks source link

cluster role does not have sufficient permission to update resources #270

Closed nan-coupa closed 7 months ago

nan-coupa commented 7 months ago

We run into several issues with cluster role permission. Primarily it's missing patch verb on several resources:

E0107 23:46:58.903450       1 bundle.go:137] trust/bundle "msg"="failed to migrate bundle status" "error"="bundles.trust.cert-manager.io \"ca-bundle\" is forbidden: User \"system:serviceaccount:trust-manager:trust-manager\" cannot update resource \"bundles\" in API group \"trust.cert-manager.io\" at the cluster scope" "bundle"="ca-bundle"
E0110 00:31:05.370941       1 bundle.go:364] trust/bundle "msg"="failed sync bundle to ConfigMap target namespace" "error"="failed to patch ConfigMap demo/ca-bundle: configmaps \"ca-bundle\" is forbidden: User \"system:serviceaccount:trust-manager:trust-manager\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"demo\"" "bundle"="ca-bundle" "target"={"Kind":"ConfigMap","Namespace":"demo","Name":"ca-bundle"}
I0110 00:31:10.518924       1 recorder.go:104] trust/manager/events "msg"="Failed to sync target in Namespace \"kube-system-draino\": failed to patch ConfigMap kube-system-draino/ca-bundle: configmaps \"ca-bundle\" is forbidden: User \"system:serviceaccount:trust-manager:trust-manager\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"kube-system-draino\"" "object"={"kind":"Bundle","name":"ca-bundle","uid":"323e1450-a93a-44b8-9789-328001fbb323","apiVersion":"trust.cert-manager.io/v1alpha1","resourceVersion":"998842678"} "reason"="SyncConfigMapTargetFailed" "type"="Warning"
E0110 00:31:54.013406       1 bundle.go:364] trust/bundle "msg"="failed sync bundle to ConfigMap target namespace" "error"="failed to patch ConfigMap cloudhealth-dev/ca-bundle: configmaps \"ca-bundle\" is forbidden: User \"system:serviceaccount:trust-manager:trust-manager\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"cloudhealth-dev\"" "bundle"="ca-bundle" "target"={"Kind":"ConfigMap","Namespace":"cloudhealth-dev","Name":"ca-bundle"}
nan-coupa commented 7 months ago

We have an older chart and I noticed some updates with 0.7.1. Will test and reopen as needed.