search

storageos / charts

StorageOS official Helm Charts
MIT License
11 stars 8 forks source link

Missing RBAC permissions when ingress is enabled #49

Open EppO opened 5 years ago

EppO commented 5 years ago

When you enable ingress in the cluster definition:

apiVersion: "storageos.com/v1"
kind: StorageOSCluster
metadata:
  name: "example-storageos"
spec:
  secretRefName: "storageos-api" # Reference the Secret created in the previous step
  secretRefNamespace: "storageos"  # Namespace of the Secret
  images:
    nodeContainer: "storageos/node:1.1.5" # StorageOS version
  resources:
    requests:
    memory: "512Mi"
  csi:
    enable: true
    enableProvisionCreds: true
    enableControllerPublishCreds: true
    enableNodePublishCreds: true
  ingress:
    enable: true
    hostname: storageos.mycluster.example.com

You get this error:

Events:
  Type     Reason          Age              From                       Message
  ----     ------          ----             ----                       -------
  Warning  FailedCreation  0s (x3 over 2s)  storageoscluster-operator  failed to create Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:storageos-operator:storageoscluster-operator-sa" cannot create resource "ingresses" in API group "extensions" in the namespace "storageos"

Adding this block to the ClusterRole storageos-operator does the trick:

- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - create
  - delete
  - patch
  - update
  - list

This should be set when you enable ingress in the cluster config otherwise the cluster won't start.

croomes commented 5 years ago

Thanks @EppO, good catch. We'll look at this on Monday.

EppO commented 5 years ago

Hostname doesn't look to be propagated as well. Ingress gets created without any host entry (just *)