Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

examples/nginx/rbac: Give access to own namespace #1001

Merged
merged 1 commit into from
Jul 21, 2017
Merged

examples/nginx/rbac: Give access to own namespace #1001

merged 1 commit into from
Jul 21, 2017

Conversation

chancez
Copy link
Member

@chancez chancez commented Jul 20, 2017

Even with --force-namespace-isolation, nginx-ingress-controller still queries for it's own namespace, so give it access to querying namespaces within it's namespace in the nginx-ingress-role.

@chancez
examples/nginx/rbac: Give access to own namespace
8cd18bc 
Even with `--force-namespace-isolation`, nginx-ingress-controller still queries for it's own namespace, so give it access to querying namespaces within it's namespace in the nginx-ingress-role.
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 20, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@coveralls
Copy link

Coverage Status

Coverage remained the same at 43.925% when pulling 8cd18bc on chancez:patch-2 into fbb96f4 on kubernetes:master.

@aledbf aledbf self-assigned this Jul 21, 2017
@aledbf
Copy link
Member

aledbf commented Jul 21, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2017
@aledbf
Copy link
Member

aledbf commented Jul 21, 2017

@chancez thanks!

@aledbf aledbf merged commit 1a26aa2 into kubernetes:master Jul 21, 2017
@chancez chancez deleted the patch-2 branch July 21, 2017 18:49
@redbaron
Copy link

redbaron commented May 23, 2018
edited
Loading

I dont think it achieves desired effect, Namespace is not a namespaced resource, therefore it outside of control of Role, it must be ClusterRole.

For those who stumble upon it, here is solution which works:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-prod
  annotations:
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    resourceNames:
      - prod
    verbs:
      - get

key is to use resourceNames.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aledbf aledbf

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@chancez @k8s-reviewable @coveralls @aledbf @redbaron @k8s-ci-robot