When I deploy the opa container like this, with kube-mgmt container, I can see the following errors in the logs of opa container :
E1018 08:27:20.433570 1 reflector.go:138] k8s.io/client-go@v0.23.8/tools/cache/reflector.go:167: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kafkatopics.kafka.strimzi.io is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "kafkatopics" in API group "kafka.strimzi.io" at the cluster scope
W1018 08:27:26.511207 1 reflector.go:324] k8s.io/client-go@v0.23.8/tools/cache/reflector.go:167: failed to list *unstructured.Unstructured: kafkausers.kafka.strimzi.io is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "kafkausers" in API group "kafka.strimzi.io" at the cluster scope
I created my custom resources kafkaTopics and kafkaUsers in my namespace my-namespace.
Is it possible to make OPA work with a service account without clusterRole ?
I tried to create a role and a rolebinding for the default service account of my namespace :
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: strimzi-view
labels:
app: strimzi
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- "kafka.strimzi.io"
resources:
- kafkas
- kafkaconnects
- kafkamirrormakers
- kafkausers
- kafkatopics
- kafkabridges
- kafkaconnectors
- kafkamirrormaker2s
- kafkarebalances
verbs:
- get
- list
- watch
Is it possible to use OPA like I try, only to handle authorizations for a kafka cluster with strimzi operator and not being admin of the kubernetes cluster ?
Hello.
I open this issue because I am trying to use OPA as an authorization system for apache Strimzi (kafka cluster on Kubernetes).
I'm working on a Kubernetes cluster where I am not admin. I work in a namespace my-namespace, where I am admin of the namespace.
I try to deploy OPA like this :
When I deploy the opa container like this, with kube-mgmt container, I can see the following errors in the logs of opa container :
I created my custom resources kafkaTopics and kafkaUsers in my namespace my-namespace. Is it possible to make OPA work with a service account without clusterRole ?
I tried to create a role and a rolebinding for the default service account of my namespace :
But it does not help sadly.
Is it possible to use OPA like I try, only to handle authorizations for a kafka cluster with strimzi operator and not being admin of the kubernetes cluster ?
Originally posted by @gwenael-lebarzic in https://github.com/open-policy-agent/community/discussions/501