search

kyma-project / lifecycle-manager

Controller that manages the lifecycle of Kyma Modules in your cluster.
http://kyma-project.io
Apache License 2.0
10 stars 30 forks source link

Investigate need for `kyma-system` and `istio-system` RoleBindings to `klm-manager-role` ClusterRole #1613

Closed c-pius closed 1 month ago

c-pius commented 3 months ago

Description

As of now we have three bindings to klm-manager-role ClusterRole for kcp-system, kyma-system and istio-system namespaces: https://github.com/kyma-project/lifecycle-manager/blob/main/config/rbac/namespace_bindings/role_binding.yaml

While testing the helm setup, we tried to remove the ones for kyma-system and istio-system, but this leads to errors like:

klm-controller-manager-7d846d6545-5hqq9 manager W0605 12:53:04.754801       1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1beta2.Watcher: watchers.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "watchers" in API group "operator.kyma-project.io" at the cluster scope
klm-controller-manager-7d846d6545-5hqq9 manager E0605 12:53:04.754828       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1beta2.Watcher: failed to list *v1beta2.Watcher: watchers.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "watchers" in API group "operator.kyma-project.io" at the cluster scope

Those errors are surprising because KLM should be working in kcp-system namespace on KCP, and kyma-system namespace only on SKR which is accessed through the related kubeconfig file.

We need to find out why those bindings are needed and if it can be reduced to not need those anymore.

Reasons

Keeping RBAC as restricted and clean as possible

Acceptance Criteria

Feature Testing

No response

Testing approach

No response

Attachments

No response

nesmabadr commented 2 months ago

The errors shown are specific to the namespaces:

Failed to watch *v1beta2.ModuleTemplate: failed to list *v1beta2.ModuleTemplate: moduletemplates.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "moduletemplates" in API group "operator.kyma-project.io" in the namespace "kyma-system"                             ││ klm-controller-manager-8c89c9759-7t729 W0725 18:54:21.745617       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system"                                                                                                    ││ klm-controller-manager-8c89c9759-7t729 E0725 18:54:21.745979       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1beta2.Kyma: failed to list *v1beta2.Kyma: kymas.operator.kyma-project.io is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "kymas" in API group "operator.kyma-project.io" in the namespace "kyma-system"                                                                     │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:27.603816       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system"                                                                                                                                                    │
│ klm-controller-manager-8c89c9759-7t729 E0725 18:54:27.604167       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "kyma-system"                                                                                                                        │
│ klm-controller-manager-8c89c9759-7t729 W0725 18:54:37.570212       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kcp-system:klm-controller-manager" cannot list resource "secrets" in API group "" in the namespace "istio-system"