Open loicmathieu opened 2 months ago
The issue is caused by a ClusterRole that is bonded using a RoleBinding instead of a ClusterRoleBinding.
What is generated:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kestra-flow-cluster-role
namespace: kestra
rules:
- apiGroups:
- model.kestra.io
resources:
- kestraflows
- kestraflows/status
- kestraflows/finalizers
verbs:
- get
- list
- watch
- patch
- update
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kestra-flow-crd-validating-role-binding
namespace: kestra
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: josdk-crd-validating-cluster-role
subjects:
- kind: ServiceAccount
name: kestra-orchestrator
namespace: kestra
What should be generated:
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kestra-flow-cluster-role
namespace: kestra
rules:
- apiGroups:
- model.kestra.io
resources:
- kestraflows
- kestraflows/status
- kestraflows/finalizers
verbs:
- get
- list
- watch
- patch
- update
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kestra-flow-crd-validating-role-binding
namespace: kestra
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: josdk-crd-validating-cluster-role
subjects:
- kind: ServiceAccount
name: kestra-orchestrator
namespace: kestra
Operators deployed using the generated k8s resources are forbidden to access the CRD.
Steps to reproduce:
Then the operator fail to start with: