I'm trying to narrow down the permissions needed to run helm-controller fully scoped in a namespace; but I hit a wall when I found:
E0907 17:29:05.730579 1 controller.go:117] error syncing 'helm-controller/traefik': handler helm-controller: failed to create helm-helm-controller-traefik rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding for helm-controller helm-controller/traefik: clusterrolebindings.rbac.authorization.k8s.io "helm-helm-controller-traefik" is forbidden: user "system:serviceaccount:helm-controller:helm-controller" (groups=["system:serviceaccounts" "system:serviceaccounts:helm-controller" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
Hi @ams0, this is indeed a Cluster role, but it is actually bound to a single namespace scope because referenced by a RoleBinding and not a ClusterRoleBinding.
Is it an issue for you?
I'm trying to narrow down the permissions needed to run helm-controller fully scoped in a namespace; but I hit a wall when I found:
this is due to this line: https://github.com/rancher/helm-controller/blob/3e223ca9dc94607ea9b7deb7f632551230c4db32/pkg/helm/controller.go#L271
which wants to grant
cluster-admin
to every chart. This should rather be a namespaced Role, you agree?