k3s-io / helm-controller

Apache License 2.0
391 stars 85 forks source link

RBAC needed for namespaced deployment #195

Closed tcordeu closed 1 year ago

tcordeu commented 1 year ago

Hello, I deployed the helm-controller using the latest artifact: curl -Ls https://github.com/k3s-io/helm-controller/releases/download/v0.14.0/deploy-namespaced.yaml | kubectl apply -f - and the deployment is showing the following error:

E0523 17:26:15.395364       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"
E0523 17:26:17.824670       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"
E0523 17:26:21.779472       1 leaderelection.go:330] error retrieving resource lock helm-controller/helm-controller-lock: configmaps "helm-controller-lock" is forbidden: User "system:serviceaccount:helm-controller:default" cannot get resource "configmaps" in API group "" in the namespace "helm-controller"

Am I missing the RBAC setup?

Thanks, Thomas.

brandond commented 1 year ago

Yeah, neither manifest contains the necessary RBAC. We should probably add some.

This project is mostly used embedded within k3s and rke2, so the standalone deployment files are kind of sparse.

tcordeu commented 1 year ago

@brandond Thanks for the response! Do you have any examples/docs on the permissions needed so that I can work from there?

brandond commented 1 year ago

in most scenarios we just bind it to an admin account, since it will usually need access to everything in order to create/update/delete whatever resources may be specified in helm charts. You might be able to dig some examples out of the test harness?