Unable to install SecretProviderClass using Helm chart

[esune]

I am following this documentation to enable the Secrets Store CSI driver provider in an existing aks cluster, which was provisioned using Terraform (as far as my understanding goes, there is no Terraform API to do so, yet).

The chart providing the extension was successfully installed as I can see the pods running:

$ kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver, secrets-store-provider-azure)'
NAME                                     READY   STATUS    RESTARTS   AGE
aks-secrets-store-csi-driver-glqkd       3/3     Running   0          3h4m
aks-secrets-store-csi-driver-m5clf       3/3     Running   0          3h4m
aks-secrets-store-provider-azure-cm8c4   1/1     Running   0          3h4m
aks-secrets-store-provider-azure-l29rn   1/1     Running   0          3h4m

I have successfully configured the user-managed identity and am now trying to create the SecretProviderClass using a Helm chart like the following, from an Azure DevOps pipeline:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: {{ .Values.keyVaultName  | quote }}  
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"               # [OPTIONAL] if not provided, will default to "false"
    useVMManagedIdentity: "false"         # [OPTIONAL available for version > 0.0.4] if not provided, will default to "false"
    userAssignedIdentityID: {{ .Values.clientId | quote }}   # [OPTIONAL available for version > 0.0.4] use the client id to specify which user assigned managed identity to use. If using a user assigned identity as the VM's managed identity, then specify the identity's client id. If empty, then defaults to use the system assigned identity on the VM
    keyvaultName: {{ .Values.keyVaultName  | quote }}                # the name of the KeyVault
    cloudName: ""                         # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud
    cloudEnvFileName: ""                  # [OPTIONAL available for version > 0.0.7] use to define path to file for populating azure environment
    objects:  |
      array:
        {{ range $v :=  .Values.secrets }}
        - |
          objectName: {{ $v }}
          objectAlias: {{ $v }}           # [OPTIONAL available for version > 0.0.4] object alias
          objectType: secret              # object types: secret, key or cert. For Key Vault certificates, refer to https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/getting-certs-and-keys/ for the object type to use
          objectVersion: ""               # [OPTIONAL] object versions, default to latest if empty
        {{ end }}
        {{ range $v :=  .Values.keys }}
        - |
          objectName: {{ $v }}
          objectAlias: ""                 # If provided then it has to be referenced in [secretObjects].[objectName] to sync with Kubernetes secrets 
          objectType: key
          objectVersion: ""
        {{ end }}
    tenantId: {{ .Values.tenantId | quote }}                       # the tenant ID of the KeyVault

The reason to do this is that the SecretProviderClass - if I understand correctly - needs to be updated every time a secret is added/removed from the deployments that will use them, and this step would ensure it is always up-to-date before the Helm charts depending on it are run. The Helm task, however, fails with the following error:

Error: secretproviderclasses.secrets-store.csi.x-k8s.io is forbidden: User "system:serviceaccount:myproject:default" cannot create resource "secretproviderclasses" in API group "secrets-store.csi.x-k8s.io" in the namespace "mynamespace": Azure does not have opinion for this user.

My service account was assigned the admin clusterrolebinding, I checked the available clusterrolebindings to understand if I need to add additional permissions to it, however none of them seems to have create permission on the secretproviderclasses.secrets-store.csi.x-k8s.io resource type.

Am I supposed to create my own cluster role to handle this? While the cluster-admin role should be able to create these resources, for the use-case described above a less privileged service account should be sufficient and am therefore surprised a "standard" clusterrole is not provided for this purpose.

Suggestions and/or feedback are welcome 🙂

[github-actions]

This issue is stale because it has been open 14 days with no activity. Please comment or this will be closed in 7 days.

[esune]

Bumping this. I was able to get things running, however guidance on the preferred way to setup RBAC would be appreciated, or feedback on the suggested automated setup of appropriate RBAC profiles when installing the chart.

[github-actions]

This issue is stale because it has been open 14 days with no activity. Please comment or this will be closed in 7 days.

[github-actions]

This issue was closed because it has been stalled for 21 days with no activity. Feel free to re-open if you are experiencing the issue again.

[brandonmaul]

Bumping this. I was able to get things running, however guidance on the preferred way to setup RBAC would be appreciated, or feedback on the suggested automated setup of appropriate RBAC profiles when installing the chart.

How were you able to get this working? Having the exact same issue on my cluster.

[esune]

Bumping this. I was able to get things running, however guidance on the preferred way to setup RBAC would be appreciated, or feedback on the suggested automated setup of appropriate RBAC profiles when installing the chart.

How were you able to get this working? Having the exact same issue on my cluster.

I created my own cluster role and assigned it to my service account.

$ kubectl describe clusterrole aks-secret-store-admin
Name:         aks-secret-store-admin
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                     Non-Resource URLs  Resource Names  Verbs
  ---------                     -----------------  --------------  -----
  *.secrets-store.csi.x-k8s.io  []                 []              [*]

Please note my RBAC is pretty lax and could (should?) likely be tightened further. What I am not happy with is how the Secrets Store doesn't provide an ou-of-the-box clusterrole to do this, yet it requires the permission in order to create resources required to use the driver.

[aramase]

Hello 👋🏻

We recently merged a PR in the driver to add custom roles for view, edit and admin. This will be available as part of v1.1.0 release for the driver.