glooctl create secret requires seemingly unnecessary permissions to run. The following is using a serviceaccount no no clusterrolebindings or rolebindings.
$ glooctl create secret tls --name test --certchain mtls.crt --privatekey mtls.key
Warning: Could not determine gloo server versions (is Gloo running outside of kubernetes?): deployments.apps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "deployments" in API group "apps" in the namespace "gloo-system"
Warning: Could not determine gloo server versions (is Gloo running outside of kubernetes?): deployments.apps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "deployments" in API group "apps" in the namespace "gloo-system"
E0729 13:34:46.072446 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:46.072470 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:46.072441 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:46.072516 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:46.072579 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:46.995010 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:47.287072 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:47.339962 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:47.350180 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:47.350694 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
cE0729 13:34:49.046893 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:49.072975 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:49.200251 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
E0729 13:34:49.816387 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:50.161620 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:53.236696 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "secrets" in API group "" at the cluster scope
E0729 13:34:53.656179 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "services" in API group "" at the cluster scope
E0729 13:34:54.496718 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "configmaps" in API group "" at the cluster scope
E0729 13:34:54.585626 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "namespaces" in API group "" at the cluster scope
E0729 13:34:55.564245 4520 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:gloo-system:test" cannot list resource "pods" in API group "" at the cluster scope
Steps to reproduce the bug
1) kubectl config set-cluster test-cluster --server=https://8485EBB297B0333AC1F962D470A01EE7.sk1.us-east-2.eks.amazonaws.com --certificate-authority=k8s-ca.crt
2) kubectl -n gloo-system create serviceaccount test
3) kubectl config set-credentials test-user --token=${TOKEN}
The token is from the token secret created in step 2
4) kubectl config set-context test-context --user=test-user --cluster=test-cluster
5) kubectl config use-context test-context
Expected Behavior
glooctl create secretsucceeds without unnecessary perms
This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.
Gloo Edge Version
1.11.x (latest stable)
Kubernetes Version
No response
Describe the bug
glooctl create secret requires seemingly unnecessary permissions to run. The following is using a serviceaccount no no clusterrolebindings or rolebindings.
Steps to reproduce the bug
1)
kubectl config set-cluster test-cluster --server=https://8485EBB297B0333AC1F962D470A01EE7.sk1.us-east-2.eks.amazonaws.com --certificate-authority=k8s-ca.crt
2)kubectl -n gloo-system create serviceaccount test
3)kubectl config set-credentials test-user --token=${TOKEN}
The token is from the token secret created in step 2 4)kubectl config set-context test-context --user=test-user --cluster=test-cluster
5)kubectl config use-context test-context
Expected Behavior
glooctl create secret
succeeds without unnecessary permsAdditional Context
No response