Open laobob opened 4 years ago
laobob
commented
4 years ago It seems to work if I add the following lines to the rbac.yml (granting explicit permissions to my ci user, not sure if this is the proper way to do it):
- kind: User
name: ci-runner
namespace: mynamespace
(seems that leading spaces get removed by Github's markup renderer)
hiddeco
commented
4 years ago Sorry about not responding in a timely manner, this is my weekend project and I have a shortage in available time during weekends lately.
Your CI user is probably a user stripped from any permissions, and you need to add those permissions back so that it is able to operate on the TZCronJob resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tzcronjob-reader
rules:
- apiGroups: ['cronjobber.hidde.co']
resources: ['*']
verbs: ["get", "list", "watch"]apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tzcronjob-writer
rules:
- apiGroups: ['cronjobber.hidde.co']
resources: ['*']
verbs: ["update", "patch", "delete"]
As an admin I can easily deploy the examples you provide. As another user (e.g. ci user) I get the following error:
tzcronjobs.cronjobber.hidde.co "my-dummy-service" is forbidden: User "ci-user" cannot get resource "tzcronjobs" in API group "cronjobber.hidde.co" in the namespace "mynamespace": RBAC: clusterrole.rbac.authorization.k8s.io "mynamespace-letsencrypt-role" not found
Do you have any ideas where to look? Do I have to change the rbac in some way?