search

sighupio / permission-manager

Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW
https://sighup.io/
BSD 3-Clause "New" or "Revised" License
1.31k stars 172 forks source link

User created with 'template-namespaced-resources___developer' template is unable to delete a secret #184

Closed jaepetto closed 8 months ago

jaepetto commented 8 months ago

We are currently using permission manager to set up an account that uses the template 'template-namespaced-resources___developer'.

The ClusterRole is defined by:

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   annotations:
     meta.helm.sh/release-name: permission-manager
     meta.helm.sh/release-namespace: permission-manager
   creationTimestamp: "2023-06-13T15:18:35Z"
   labels:
     app.kubernetes.io/managed-by: Helm
   name: template-namespaced-resources___developer
   resourceVersion: "25531371"
   uid: 1e89ac34-6a1c-44cc-b0a3-c8e19b286ee3
 rules:
 - apiGroups:
   - '*'
   resources:
   - configmaps
   - endpoints
   - persistentvolumeclaims
   - pods
   - pods/log
   - pods/portforward
   - podtemplates
   - replicationcontrollers
   - resourcequotas
   - secrets
   - services
   - events
   - daemonsets
   - deployments
   - replicasets
   - ingresses
   - networkpolicies
   - poddisruptionbudgets
   verbs:
   - '*'

Which, if I can read correctly, should be able to delete a secret.

But we get the following error message:

Error from server (Forbidden): secrets "cs250-regcred" is forbidden: User "system:serviceaccount:permission-manager:cs250" cannot delete resource "secrets" in API group "" in the namespace "cs250"

Could it be a bug? How can I troubleshoot it further?