Closed marcredhat closed 4 years ago
Here is Flagger's RBAC https://github.com/weaveworks/flagger/blob/master/charts/flagger/templates/rbac.yaml
When creating a canary (without using cluster-admin role), I get:
flagger services "podinfo-canary" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: ,
Hmm seems that finalizers have to added to every resource in the RBAC. For example:
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- daemonsets/finalizers
- deployments/finalizers
Can you please modify Flagger's RBAC, duplicate all resources with finalizers and test it out?
Thanks
Tests on OpenShift 4.3.1: https://github.com/marcredhat/workshop/blob/master/flagger/README.adoc
Need to understand the minimum privileges for the "flagger service" account. (In my testing above, I used oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:marc-istio-system:flagger)