search

grafana / flagger-k6-webhook

Using k6 to do load testing of the canary before rolling out traffic
Apache License 2.0
24 stars 9 forks source link

Broken rbac when using defaults #126

Closed jack1902 closed 7 months ago

jack1902 commented 7 months ago

The current default value specified here is invalid: https://github.com/grafana/flagger-k6-webhook/blob/7d026b36bf293715cf567d804a2952a2edd365c4/charts/k6-loadtester/templates/rbac.yaml#L18

When reviewing the docs here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples or by running kubectl explain (output below for quick reference) you can see that apiGroup should be set depending on the subject. In case of the chart, the current subject is a ServiceAccount so should be left blank

kubectl explain rolebindings.rbac.authorization.k8s.io.subjects
KIND:     RoleBinding
VERSION:  rbac.authorization.k8s.io/v1

RESOURCE: subjects <[]Object>

DESCRIPTION:
     Subjects holds references to the objects the role applies to.

     Subject contains a reference to the object or user identities a role
     binding applies to. This can either hold a direct API object reference, or
     a value for non-objects such as user and group names.

FIELDS:
   apiGroup <string>
     APIGroup holds the API group of the referenced subject. Defaults to "" for
     ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User
     and Group subjects.

   kind <string> -required-
     Kind of object being referenced. Values defined by this API group are
     "User", "Group", and "ServiceAccount". If the Authorizer does not
     recognized the kind value, the Authorizer should report an error.

   name <string> -required-
     Name of the object being referenced.

   namespace    <string>
     Namespace of the referenced object. If the object kind is non-namespace,
     such as "User" or "Group", and this value is not empty the Authorizer
     should report an error.