Open eutsigoiari opened 8 months ago
Hi,
In an OCP/OKD cluster rollout using the default manifests and trying to enable l2announcements with the next extra config:
kubeProxyReplacement: true k8sServiceHost: api-int.mycluster.mydomain.com k8sServicePort: '6443' k8sClientRateLimit: qps: 2 burst: 4 l2announcements: enabled: true
Cilium is not properly deployed since the cluster role with leases resource from coordination API does not have all the needed verbs :
2024-03-14T13:55:28Z ERROR helm.controller Release failed {"namespace": "cilium", "name": "cilium", "apiVersion": "cilium.io/v1alpha1", "kind": "CiliumConfig", "release": "cilium", "error": "failed to install release: 2 errors occurred:\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" is forbidden: user \"system:serviceaccount:cilium:cilium-olm\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:cilium\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"coordination.k8s.io\"], Resources:[\"leases\"], Verbs:[\"list\" \"delete\"]}\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" not found\n\n"} 2024-03-14T13:55:28Z ERROR Reconciler error {"controller": "ciliumconfig-controller", "object": {"name":"cilium","namespace":"cilium"}, "namespace": "cilium", "name": "cilium", "reconcileID": "af7a17fd-1a47-456c-a4e3-b55439b98e8e", "error": "failed to install release: 2 errors occurred:\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" is forbidden: user \"system:serviceaccount:cilium:cilium-olm\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:cilium\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"coordination.k8s.io\"], Resources:[\"leases\"], Verbs:[\"list\" \"delete\"]}\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" not found\n\n"}
2024-03-14T13:55:28Z ERROR helm.controller Release failed {"namespace": "cilium", "name": "cilium", "apiVersion": "cilium.io/v1alpha1", "kind": "CiliumConfig", "release": "cilium", "error": "failed to install release: 2 errors occurred:\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" is forbidden: user \"system:serviceaccount:cilium:cilium-olm\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:cilium\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"coordination.k8s.io\"], Resources:[\"leases\"], Verbs:[\"list\" \"delete\"]}\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" not found\n\n"}
2024-03-14T13:55:28Z ERROR Reconciler error {"controller": "ciliumconfig-controller", "object": {"name":"cilium","namespace":"cilium"}, "namespace": "cilium", "name": "cilium", "reconcileID": "af7a17fd-1a47-456c-a4e3-b55439b98e8e", "error": "failed to install release: 2 errors occurred:\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" is forbidden: user \"system:serviceaccount:cilium:cilium-olm\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:cilium\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"coordination.k8s.io\"], Resources:[\"leases\"], Verbs:[\"list\" \"delete\"]}\n\t clusterroles.rbac.authorization.k8s.io \"cilium\" not found\n\n"}
cluster-network-06-cilium-00009-cilium-cilium-clusterrole.yaml lacks those list and delete verbs for the leases resource.
If I got it correctly those manifests are created using the cue files so, the fix could be just:
diff --git a/config/operator/rbac.cue b/config/operator/rbac.cue index d17e131..ad7be47 100644 --- a/config/operator/rbac.cue +++ b/config/operator/rbac.cue @@ -151,6 +151,8 @@ _ciliumClusterRules: [ "create", "get", "update", + "list", + "delete", ] }, {
I could do the PR myself if you think this is the correct way to fix it.
On the other hand the operator chart/templates of the cilium-agent are apparently correct from the very beginning as far as I could see.
Hi,
In an OCP/OKD cluster rollout using the default manifests and trying to enable l2announcements with the next extra config:
Cilium is not properly deployed since the cluster role with leases resource from coordination API does not have all the needed verbs :
cluster-network-06-cilium-00009-cilium-cilium-clusterrole.yaml lacks those list and delete verbs for the leases resource.
If I got it correctly those manifests are created using the cue files so, the fix could be just:
I could do the PR myself if you think this is the correct way to fix it.
On the other hand the operator chart/templates of the cilium-agent are apparently correct from the very beginning as far as I could see.