opskumu
commented
1 year ago Yes, you can use a lower security level user with serviceaccount.yaml.
Open Formartha opened 1 year ago
opskumu
commented
1 year ago Yes, you can use a lower security level user with serviceaccount.yaml.
Formartha
commented
1 year ago apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "helm-wrapper.serviceAccountName" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects:
One more question, is there anyway to avoid using cluster role binding (e.g. cluster level operations)
opskumu
commented
1 year ago @Formartha you can use Role and RoleBinding https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-example , cluster-admin K8s build-in cluster role, also you can create a role grant permission.
Formartha
commented
1 year ago Thanks! What are the list of permissions it needs?
Formartha
commented
1 year ago Ok, now I have another issue, I need to understand why does the security context requires toYaml in order to load it. We are using a string in our deployment, what should be the value? can you give an example?
opskumu
commented
1 year ago security context requires toYaml
you mean helm-wrapper config need yaml? i don't really understand, can you give an example
Formartha
commented
1 year ago So I have used a hardcodded value in the values.yaml file to enable the security context. Removed the cruelly brackets and tried to deploy the helm-wrapper in OCP. This in it's turn led to issue with starting up the container.
When Looking at the logs, there is an error related to /tmp with permission denied. What can be the cause of it?
opskumu
commented
1 year ago can you give the detailed error log output, or show the error log screenshots
Formartha
commented
1 year ago Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sun Aug 06 08:10:06 UTC 2023
There was an unexpected error (type=Not Found, status=404).
This is the issue we are facing, probably it's related to rules of the namespace. Can you please help us with the rules it needs to have in order to run?
GastonKanze
commented
1 year ago Hi, I have same issue,
When I am deploying helm-wrapper I need to change serviceaccount.yaml manifest to use my own Role, because I cant use cluster role binding in Openshift cluster. (permission restricted)
But looks like the Role created is not working ok or doesn't have enough permissions and I see same error when trying to browse any api, for example helm-wrapper/api/namespaces/MYNAMESPACE/releases
The pod is up and running and I dont see issues in the logs, but UI not working.
Thanks
opskumu
commented
1 year ago Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sun Aug 06 08:10:06 UTC 2023
There was an unexpected error (type=Not Found, status=404).
This is the issue we are facing, probably it's related to rules of the namespace. Can you please help us with the rules it needs to have in order to run?
it's look like Spring Boot Application error, can you access direct with helm-wrapper pod ip test?
opskumu
commented
1 year ago Hi, I have same issue,
When I am deploying helm-wrapper I need to change serviceaccount.yaml manifest to use my own Role, because I cant use cluster role binding in Openshift cluster. (permission restricted)
But looks like the Role created is not working ok or doesn't have enough permissions and I see same error when trying to browse any api, for example helm-wrapper/api/namespaces/MYNAMESPACE/releases
The pod is up and running and I dont see issues in the logs, but UI not working.
Thanks
I will check it again without admin permission
Hi,
We have a usecase where we can't provide admin (cluster) level access. is there any way to deploy the helm wrapper without it? I'm referring to the serviceaccount.yaml modification to use a lower security level user.