-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to delete namespace for HelmReleases impersonating ServiceAccount #270
Comments
This would completely defeat the purpose of allowing a service account to be defined, as the idea is that this provides fine grain configuration over the RBAC scope for the
This would be better, but still open some room to fiddle around with e.g. the I think the better solution would be to add our finalizer to the |
@hiddeco we can't add our finalizer to the |
To add a bit more context: we are in the process of reshaping our security model (details here: fluxcd/flux2#582, first PoC: fluxcd/kustomize-controller#349). With this model, the service account does not actually exist, but is just a name/group that exists as a Stefan's point is that we should not make any more changes to the current impersonation features as they stand, as there is a high chance of breaking changes in the (near) future. |
In this example, the HelmRelease is dependent on some other in-namespace resources. (default SA) It is probably important to note how or why the namespace is being deleted. There are a few use-cases.
The Namespace/defaultSA and dependent HelmRelease can be easily applied to the cluster using Flux's dependency features. Solving that issue can help, but if you are just manually deleting the Namespace without respect for ordered, in-namespace dependency, the only things I can imagine that would help is Finalizers on the parent objects or an Admission Control Webhook that prevents deletes using some object DAG. Regarding the missing SA in the new implementation, you would likely want to block on the existence of the pertinent RoleBindings. WRT SA's, finalizing the SA is a good start but it's not enough if the necessary RoleBindings and Roles are deleted. It's possible to protect resources from deletion using Finalizers. It's hard to think of a U/X that makes this work well and is also performant. Perhaps the Deletion Admission Controller or Webhook is an easier solution to reason about? |
It's worth reading this comment if you're parsing this thread: fluxcd/kustomize-controller#301 (comment) |
When:
Hypothesis:
The Helm Controller is behaving as expected by attempting to impersonate the SA, and failing the operation because the SA does not exist. This behaviour is unexpected as a a termination of a namespace should result in the deletion of helm resources as well.
Alternatives:
The text was updated successfully, but these errors were encountered: