search

mittwald / kubernetes-secret-generator

Kubernetes controller for automatically generating and updating secrets
Apache License 2.0
330 stars 57 forks source link

missing permissions for creating services #41

Closed eranreshef closed 3 years ago

eranreshef commented 3 years ago

Describe the bug I've deployed the secret-generator according to the example manifests given in the deploy dir in this repo, and its complaining about missing rbac permissions for creating services. This raises 2 questions:

  1. If this permission is really needed, why is it not mentioned in the example?
  2. Why is it needed? Why does a secret-generator needs to create service object(s) in the cluster?

To Reproduce Deploy the secret manager according to the example given in deploy dir.

Expected behavior The container should start without any errors

Environment:

Additional context

kubernetes-secret-generator {"level":"info","ts":1617775252.2373734,"logger":"cmd","msg":"Could not create metrics Service","error":"failed to create or get service for metrics: services is forbidden: User \"system:serviceaccount:kube-system:kubernetes-secret-generator\" cannot create resource \"services\" in API group \"\" in the namespace \"kube-system\""}
martin-helmich commented 3 years ago

IIRC, the service is required only when using the Prometheus operator (which requires a Service to collect metrics from). The generator itself will work just as fine without this service. I do agree that this could be made clearer in the documentation, though.

diranged commented 3 years ago

We just started seeing this out of nowhere as well... and the Helm chart doesn't seem to provide for htis functionality, nor is the chart on Github anymore. Can we get an updated Helm chart that adds the missing RBAC rule in?

eranreshef commented 3 years ago

The container logs show which permissions are missing, I was just wondering why are they needed.

YannikBramkamp commented 3 years ago

I created a fix for the issue in the linked pr, would that solve the problem? It contains roles with the missing permissions, as well as the option to suppress the generation of the monitoring service altogether if it's not needed.

mittwald-machine commented 3 years ago

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

mittwald-machine commented 3 years ago

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

mittwald-machine commented 3 years ago

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.