Open ansromanov opened 1 month ago
Same is true for syncCatalog as it is also uses clusterrole and clusterrolebinding, modified them to role and rolebinding and got errors related to cluster scoped resources, despite I limited syncCatalog to a single namespace:
W1004 16:14:52.527132 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E1004 16:14:52.527485 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
W1004 16:14:52.528030 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
E1004 16:14:52.528071 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
W1004 16:14:52.528370 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "services" in API group "" at the cluster scope
E1004 16:14:52.528391 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "services" in API group "" at the cluster scope
W1004 16:14:53.591440 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
E1004 16:14:53.591509 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.8/tools/cache/reflector.go:229: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:test-sandbox:consul-sync-catalog" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
As a workaround I have updated syncCatalog clusterrole and clusterrolebinding names to be unique (added namespace name), but it surely not a good way to solve this
Community Note
Overview of the Issue
Context: I need to deploy multiple Consul installations in separate namespaces as we have several isolated development environments within the Kube cluster, where the Consul is a part of each isolated environment.
Reproduction Steps
The second command will fail with the following error:
The issue is that the chart contains some cluster-scoped resources - CRDs, ClusterRole's, ClusterRoleBinding's.
I was able to deploy multiple Consul instances by performing the following steps:
So, my questions are:
Expected behavior
The chart has native support to deploy multiple Consul instances.