solo-io / gloo

The Cloud-Native API Gateway and AI Gateway
https://docs.solo.io/
Apache License 2.0
4.1k stars 446 forks source link

glooctl create secret requires unnecessary permissions #6826

Open bdecoste opened 2 years ago

bdecoste commented 2 years ago

Gloo Edge Version

1.11.x (latest stable)

Kubernetes Version

No response

Describe the bug

glooctl create secret requires seemingly unnecessary permissions to run. The following is using a serviceaccount no no clusterrolebindings or rolebindings.

$ glooctl create secret tls --name test --certchain mtls.crt --privatekey mtls.key
Warning: Could not determine gloo server versions (is Gloo running outside of kubernetes?): deployments.apps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "deployments" in API group "apps" in the namespace "gloo-system"
Warning: Could not determine gloo server versions (is Gloo running outside of kubernetes?): deployments.apps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "deployments" in API group "apps" in the namespace "gloo-system"
E0729 13:34:46.072446    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:46.072470    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:46.072441    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:46.072516    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:46.072579    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:46.995010    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:47.287072    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:47.339962    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:47.350180    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:47.350694    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
cE0729 13:34:49.046893    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:49.072975    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:49.200251    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:49.816387    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:50.161620    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:53.236696    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:53.656179    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:54.496718    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:54.585626    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:55.564245    4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope

Steps to reproduce the bug

1) kubectl config set-cluster test-cluster --server=https://8485EBB297B0333AC1F962D470A01EE7.sk1.us-east-2.eks.amazonaws.com --certificate-authority=k8s-ca.crt 2) kubectl -n gloo-system create serviceaccount test 3) kubectl config set-credentials test-user --token=${TOKEN} The token is from the token secret created in step 2 4) kubectl config set-context test-context --user=test-user --cluster=test-cluster 5) kubectl config use-context test-context

Expected Behavior

glooctl create secretsucceeds without unnecessary perms

Additional Context

No response

github-actions[bot] commented 5 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.