What happened:
User has role binding to clusterroles/admin in the namespace.
$ kubectl rollout undo statefulset foo
error: unable to find history controlled by StatefulSet foo: controllerrevisions.apps is forbidden: User "bar" cannot list controllerrevisions.apps in the namespace "baz"
What you expected to happen:
To roll back successfully.
How to reproduce it (as minimally and precisely as possible):
A 1.10 cluster (haven't tested 1.11 but I suspect it's the same) and a 1.12 kubectlAnything else we need to know?:
It seems that the built in admin and edit clusterroles don't cover controllerrevisions.apps, which is needed in >=1.12 for kubectl to interact with revision history?
Environment:
Kubernetes version (use kubectl version):
$ kubectl version --short
Client Version: v1.12.2
Server Version: v1.10.8
What happened: User has role binding to
clusterroles/admin
in the namespace.What you expected to happen: To roll back successfully. How to reproduce it (as minimally and precisely as possible): A 1.10 cluster (haven't tested 1.11 but I suspect it's the same) and a 1.12
kubectl
Anything else we need to know?: It seems that the built inadmin
andedit
clusterroles don't covercontrollerrevisions.apps
, which is needed in >=1.12 forkubectl
to interact with revision history? Environment:kubectl version
):/kind bug /sig auth /sig cli /sig apps