Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: RBAC for leader election #798

Closed
abh opened this issue May 31, 2017 · 3 comments · Fixed by #804
Closed

nginx: RBAC for leader election #798

abh opened this issue May 31, 2017 · 3 comments · Fixed by #804

Comments

@abh
Copy link

abh commented May 31, 2017

With the new leader election the role also needs create and update access to configmaps in the nginx-ingress namespace.

(Related to #747)
@abh abh closed this as completed May 31, 2017
@abh abh reopened this May 31, 2017
@abh abh changed the title RBAC for leader election nginx: RBAC for leader election May 31, 2017
@liggitt
Copy link
Member

liggitt commented May 31, 2017

I wouldn't expect it to have access to all configmaps, just the one used for leader election

@abh
Copy link
Author

abh commented May 31, 2017

@liggitt oh, I didn't know that was possible:

resourceNames: ["ingress-controller-leader-nginx"]

weitzj added a commit to weitzj/ingress that referenced this issue Jun 1, 2017
@weitzj
Fix kubernetes#798 - RBAC for leader election
1ff0191 
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.

To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.

Previously to this fix, the following errors occured:

-  cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
This was referenced Jun 1, 2017
Closed
Merged
weitzj added a commit to weitzj/ingress that referenced this issue Jun 1, 2017
@weitzj
Fix kubernetes#798 - RBAC for leader election
cfef998 
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.

To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.

Previously to this fix, the following errors occured:

-  cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
@weitzj
Copy link
Contributor

weitzj commented Jun 1, 2017

@abh @liggitt Maybe you want to have a look at the PR.

weitzj added a commit to weitzj/ingress that referenced this issue Jun 1, 2017
@weitzj
Fix kubernetes#798 - RBAC for leader election
3ad6fa8 
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.

To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.

Previously to this fix, the following errors occured:

-  cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
aledbf added a commit that referenced this issue Jun 2, 2017
@aledbf
Merge pull request #804 from weitzj/fix/798
f148465 
Fix #798 - RBAC for leader election
@puja108 puja108 mentioned this issue Jun 2, 2017
Merged
puja108 added a commit to puja108/ingress that referenced this issue Jun 2, 2017
@puja108
removed update configmap because of kubernetes#798
dc286bd
puja108 pushed a commit to puja108/ingress that referenced this issue Jun 2, 2017
@weitzj @puja108
Fix kubernetes#798 - RBAC for leader election
cf4ad26 
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.

To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.

Previously to this fix, the following errors occured:

-  cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)

fix ingress rbac roles

There was 2 things that the current IC (0.9 beta7) needs.

The ClusterRole was missing `get nodes`:

```
RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide
```

The Role was missing `update configmaps`:

```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"```

removed update configmap because of kubernetes#798

rebased on master, moved get nodes to own rule

added get nodes to cluster permissions
@moredhel moredhel mentioned this issue Nov 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@abh @weitzj @liggitt