Closed sokoow closed 3 years ago
Could you pass along the set of commands you used to create your locked-down config? I'd like to try to reproduce this at my end. Thank you!
sure, sorry for delay, just got to this:
---
apiVersion: v1
kind: Namespace
metadata:
name: user-2k946n
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: user-2k946n-full-access
namespace: user-2k946n
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: user-2k946n-view
namespace: user-2k946n
subjects:
- kind: ServiceAccount
name: user-2k946n
namespace: user-2k946n
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: user-2k946n-full-access
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: user-2k946n
namespace: user-2k946n
apiVersion: v1
kind: Config
preferences: {}
# Define the cluster
clusters:
- cluster:
certificate-authority-data: BASE64CERT
# You'll need the API endpoint of your Cluster here:
server: https://cluster.little:6443
name: melittlecluster
# Define the user
users:
- name: user-2k946n
user:
as-user-extra: {}
client-key-data: BASE64CERT
token: BASE64CERT
# Define the context: linking a user to a cluster
contexts:
- context:
cluster: melittlecluster
namespace: user-2k946n
user: user-2k946n
name: user-2k946n
# Define current context
current-context: user-2k946n
this should be enough to run telepresence through it, and experience problems I faced
any update ?
I believe this is no longer an issue in Telepresence 2. Here are the docs on RBAC with Telepresence: https://www.telepresence.io/docs/latest/reference/rbac/ .Here are the docs on how to install Telepresence (https://www.telepresence.io/docs/latest/install/), please re-open if you still see this issue in our latest version!
So, here's my scenario:
proxy logs on kube cluster don't show much:
same for local docker proxy logs on the client:
although this part looks worrying:
when I exec into the proxy on kube, it has internet connectivity:
so it must be either something with the tunnel, or rbac is too strict - um... help ? :D