Open mattmoor opened 6 years ago
ClusterRole
Trying to create that ClusterRole fails due to this error:
Error from server (Forbidden): error when creating "artifacts/examples/authz.yaml": clusterroles.rbac.authorization. k8s.io "foo-reader" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["foos"], APIGroups:["sam plecontroller.k8s.io/v1alpha1"], Verbs:["get"]} PolicyRule{Resources:["foos"], APIGroups:["samplecontroller.k8s.io/v 1alpha1"], Verbs:["watch"]} PolicyRule{Resources:["foos"], APIGroups:["samplecontroller.k8s.io/v1alpha1"], Verbs:["l ist"]}] user=&{grantrodgers@google.com [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubject accessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" " /apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs: ["get"]}] ruleResolutionErrors=[]
I believe this is telling me that my kubectl user is unable to grant access to the CRD because it doesn't have access itself. Mentioned at https://kubernetes.io/docs/concepts/api-extension/custom-resources/#authentication-authorization-and-auditing:
If you use RBAC for authorization, most RBAC roles will not grant access to the new resources (except the cluster-admin role or any role created with wildcard rules). You’ll need to explicitly grant access to the new resources.
Still looking into the best way to solve this.
13 is an unblocking workaround, but I'm also working on a new
ClusterRolespecifically granting read access to the CRD.Trying to create that
ClusterRolefails due to this error:I believe this is telling me that my kubectl user is unable to grant access to the CRD because it doesn't have access itself. Mentioned at https://kubernetes.io/docs/concepts/api-extension/custom-resources/#authentication-authorization-and-auditing:
Still looking into the best way to solve this.