search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.92k stars 426 forks source link

sync.hoststorageclasses requires access to clusterroles #2279

Open cpockrandt opened 1 week ago

cpockrandt commented 1 week ago

What happened?

We use the official Helm-Chart v0.19.7 with k0s (k0s:v1.29.1-k0s.0) and the following config:

sync:
  ingresses:
    enabled: true
  ingressclasses:
    enabled: false
  secrets:
    enabled: true
    all: true
  hoststorageclasses:
    enabled: true

In the hostcluster, I can run kubectl get storageclasses.storage.k8s.io, so I would expect to be able to turn on hoststorageclasses. But instead I get the following error message:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource ClusterRole "vc-vc-v-test" in namespace "": clusterroles.rbac.authorization.k8s.io "vc-vc-v-test" is forbidden: User "system:serviceaccount:test:cmx-..." cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

What did you expect to happen?

Since I am able to list the storageclasses in the host-cluster, I would expect it not to require further access to clusterroles. Is this expected behavior or is there a workaround (since I will not get granted clusterroles in our cluster)?

How can we reproduce it (as minimally and precisely as possible)?

-

Anything else we need to know?

No response

Host cluster Kubernetes version

```console $ kubectl version Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.3", GitCommit:"9e644106593f3f4aa98f8a84b23db5fa378900bd", GitTreeState:"clean", BuildDate:"2023-03-15T13:40:17Z", GoVersion:"go1.19.7", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.13+vmware.1", GitCommit:"d82693b8117731e1d506b786bacec4cc7b94fae2", GitTreeState:"clean", BuildDate:"2024-04-24T08:07:19Z", GoVersion:"go1.21.9", Compiler:"gc", Platform:"linux/amd64"} ```

vcluster version

```console $ vcluster --version vcluster version 0.19.7 ```

VCluster Config

```yaml sync: ingresses: enabled: true ingressclasses: enabled: false secrets: enabled: true all: true hoststorageclasses: enabled: true ```
deniseschannon commented 2 days ago

I would recommend migrating to v0.20+ in order to better support you. Also, is there a specific reason you are using k0s? We are recommending users use the vanilla k8s distro.

Try looking at this yaml for either v0.20 or v0.21 and try it out:

https://www.vcluster.com/docs/vcluster/configure/vcluster-yaml/sync/from-host/storage-classes