search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.09k stars 442 forks source link

Gateway pod for at least GlooE 1.3.11 and 1.3.12 requires a clusterrole #3377

Closed bdecoste closed 4 months ago

bdecoste commented 4 years ago

Describe the bug GlooE 1.3.11 and 1.3.12 (at least, may be more versions but only tested those 2) have a geway pod that requires a cluster role.

To Reproduce Steps to reproduce the behavior: Use this helm chart:

global:
  glooRbac:
    namespaced: true
gloo:
  discovery:
    fdsMode: BLACKLIST
  gatewayProxies:
    gatewayProxy:
      readConfig: true
devPortal:
  enabled: true
grafana:
  defaultInstallationEnabled: true
prometheus:
  enabled: true
observability:
  enabled: true
apiServer:
  enable: true

This is the gateway pod error:

$ kubectl -n gloo-system logs gateway-774cf94fbc-pv8t5
{"level":"info","ts":1595337739.5196354,"logger":"gateway.v1.event_loop","caller":"v1/setup_event_loop.sk.go:57","msg":"event loop started","version":"1.3.30"}
{"level":"fatal","ts":1595337739.6261456,"logger":"gateway","caller":"setuputils/main_setup.go:89","msg":"error in setup: creating base Gateway resource client: list check failed: gateways.gateway.solo.io is forbidden: User \"system:serviceaccount:gloo-system:gateway\" cannot list resource \"gateways\" in API group \"gateway.solo.io\" at the cluster scope","version":"1.3.30","stacktrace":"github.com/solo-io/gloo/pkg/utils/setuputils.Main\n\t/workspace/gloo/pkg/utils/setuputils/main_setup.go:89\ngithub.com/solo-io/gloo/projects/gateway/pkg/setup.Main\n\t/workspace/gloo/projects/gateway/pkg/setup/setup.go:13\nmain.main\n\t/workspace/gloo/projects/gateway/cmd/main.go:11\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}
$ kubectl -n gloo-system get roles
NAME                          CREATED AT
apiserver-ui                  2020-07-21T13:21:00Z
gateway-resource-reader       2020-07-21T13:21:00Z
gloo-resource-mutator         2020-07-21T13:21:00Z
gloo-resource-reader          2020-07-21T13:21:00Z
gloo-upstream-mutator         2020-07-21T13:21:00Z
kube-resource-watcher         2020-07-21T13:21:00Z
observability-upstream-role   2020-07-21T13:21:00Z
settings-user                 2020-07-21T13:21:00Z
$ kubectl get clusterroles | grep gloo
glooe-glooe-prometheus-alertmanager                                    2020-07-21T13:21:00Z
glooe-glooe-prometheus-pushgateway                                     2020-07-21T13:21:00Z
glooe-prometheus-kube-state-metrics                                    2020-07-21T13:21:00Z
glooe-prometheus-server                                                2020-07-21T13:21:00Z

Expected behavior Gloo does not require clusterroles with global.glooRbac.namespaced: true

bdecoste commented 4 years ago

global.glooRbac.namespaced=true also requires settings.singleNamespace=true. This should be documented or corrected

github-actions[bot] commented 10 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.

github-actions[bot] commented 4 months ago

This issue has been closed due to no activity in the last 12 months.