OpenShift RBAC issues - Githubissues

fluxcd / flagger

Progressive delivery Kubernetes operator (Canary, A/B Testing and Blue/Green deployments)

https://docs.flagger.app

Apache License 2.0

4.85k stars 725 forks source link

OpenShift RBAC issues #505

Closed marcredhat closed 4 years ago

marcredhat commented 4 years ago

Tests on OpenShift 4.3.1: https://github.com/marcredhat/workshop/blob/master/flagger/README.adoc

Need to understand the minimum privileges for the "flagger service" account. (In my testing above, I used oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:marc-istio-system:flagger)

stefanprodan commented 4 years ago

Here is Flagger's RBAC https://github.com/weaveworks/flagger/blob/master/charts/flagger/templates/rbac.yaml

marcredhat commented 4 years ago

When creating a canary (without using cluster-admin role), I get: flagger services "podinfo-canary" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: ,

stefanprodan commented 4 years ago

Hmm seems that finalizers have to added to every resource in the RBAC. For example:

 - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - daemonsets/finalizers
      - deployments/finalizers

Can you please modify Flagger's RBAC, duplicate all resources with finalizers and test it out?

Thanks