Closed guleng closed 3 years ago
Hi @guleng
Thanks for this bug report. We implemented a nodeCache that watches Nodes
resources and therefore needs additional permissions to access them. This is done in order to filter out neighboring kubenurses on nodes that are unschedulable.
I will implement a flag to disable this (new) feature and provide an updated RBAC definition
Can you try it with the following additional RBAC resources?
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenurse-node-watcher
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nurse-node-watcher
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenurse-node-watcher
subjects:
- kind: ServiceAccount
name: nurse
namespace: kube-system
I'm just preparing/testing https://github.com/postfinance/kubenurse/commit/cd9ac29bfdec070a374ca44f41d3a03f466c8607 which will allow to disable node resource access.
I tried and the result was the same I got the same results on kubernetes 1.16 and 1.14 I'll wait for the next version
Ok, next week the new version should be out. I just saw a mistake in the snipped I provided. It should be like this sample below.
Together with the new release, there will be automated CI testing using the provided examples so we can spot such issues earlier.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenurse-node-watcher
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nurse-node-watcher
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenurse
subjects:
- kind: ServiceAccount
name: nurse
namespace: kube-system
Can you please try v1.3.4
: https://github.com/postfinance/kubenurse/releases/tag/v1.3.4
Also using the new example RBACs
hi @djboris9 After I deploy version 3.0, I will prompt an error. Even if the clusterrole permission is given to admin, it will not work