search

open-horizon / anax

Horizon agent control system
https://open-horizon.github.io/docs/anax/docs/
Apache License 2.0
73 stars 98 forks source link

For cluster-scoped agent, Kubeworker should add namespace for serviceaccount in clusterrolebinding, if namespace omits #4013

Open LiilyZhang opened 7 months ago

LiilyZhang commented 7 months ago

Clusterrolebinding.yml in operator

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  namespace: my-namespace <--- if this line is not present, kubeworker should add the service namespace to this clusterrolebinding
  name: controller-manager

log:

I0207 23:42:28.429094      14 client.go:163] Kubernetes Worker: successfully installed Namespace cluster-scope
I0207 23:42:28.429198      14 api_objects.go:320] Kubernetes Worker: creating cluster role {&ClusterRole{ObjectMeta:{manager-role      0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},Rules:[]PolicyRule{PolicyRule{Verbs:[create delete get list patch update watch],APIGroups:[demo.operator.golang.com],Resources:[topserviceoperators],ResourceNames:[],NonResourceURLs:[],},PolicyRule{Verbs:[update],APIGroups:[demo.operator.golang.com],Resources:[topserviceoperators/finalizers],ResourceNames:[],NonResourceURLs:[],},PolicyRule{Verbs:[get patch update],APIGroups:[demo.operator.golang.com],Resources:[topserviceoperators/status],ResourceNames:[],NonResourceURLs:[],},PolicyRule{Verbs:[create delete get list patch update watch],APIGroups:[apps],Resources:[deployments daemonsets replicasets statefulsets configmaps secrets],ResourceNames:[],NonResourceURLs:[],},},AggregationRule:nil,}}
I0207 23:42:28.440520      14 client.go:163] Kubernetes Worker: successfully installed ClusterRole manager-role
I0207 23:42:28.440602      14 api_objects.go:386] Kubernetes Worker: creating cluster role binding {&ClusterRoleBinding{ObjectMeta:{manager-rolebinding      0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},Subjects:[]Subject{Subject{Kind:ServiceAccount,APIGroup:,Name:controller-manager,Namespace:,},},RoleRef:RoleRef{APIGroup:rbac.authorization.k8s.io,Kind:ClusterRole,Name:manager-role,},}}
E0207 23:42:28.448589      14 kubeworker.go:117] Kubernetes Worker: failed to process kube package after agreement negotiation: Kubernetes Worker: Error creating the cluster rolebinding: ClusterRoleBinding.rbac.authorization.k8s.io "manager-rolebinding" is invalid: subjects[0].namespace: Required value