Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing permissions for creating services #41

Closed
eranreshef opened this issue Apr 7, 2021 · 7 comments · Fixed by #42
Closed

missing permissions for creating services #41

eranreshef opened this issue Apr 7, 2021 · 7 comments · Fixed by #42
Labels
bug stale

Comments

@eranreshef
Copy link

Describe the bug
I've deployed the secret-generator according to the example manifests given in the deploy dir in this repo, and its complaining about missing rbac permissions for creating services.
This raises 2 questions:

  1. If this permission is really needed, why is it not mentioned in the example?
  2. Why is it needed? Why does a secret-generator needs to create service object(s) in the cluster?

To Reproduce
Deploy the secret manager according to the example given in deploy dir.

Expected behavior
The container should start without any errors

Environment:

  • Kubernetes version: 1.18.16
  • kubernetes-secret-generator version: 3.2.0

Additional context

kubernetes-secret-generator {"level":"info","ts":1617775252.2373734,"logger":"cmd","msg":"Could not create metrics Service","error":"failed to create or get service for metrics: services is forbidden: User \"system:serviceaccount:kube-system:kubernetes-secret-generator\" cannot create resource \"services\" in API group \"\" in the namespace \"kube-system\""}
@eranreshef eranreshef added the bug label Apr 7, 2021
@martin-helmich
Copy link
Member

IIRC, the service is required only when using the Prometheus operator (which requires a Service to collect metrics from). The generator itself will work just as fine without this service. I do agree that this could be made clearer in the documentation, though.

@diranged
Copy link

We just started seeing this out of nowhere as well... and the Helm chart doesn't seem to provide for htis functionality, nor is the chart on Github anymore. Can we get an updated Helm chart that adds the missing RBAC rule in?

@eranreshef
Copy link
Author

The container logs show which permissions are missing, I was just wondering why are they needed.

@YannikBramkamp YannikBramkamp mentioned this issue Apr 23, 2021
Merged
@YannikBramkamp
Copy link
Contributor

I created a fix for the issue in the linked pr, would that solve the problem? It contains roles with the missing permissions, as well as the option to suppress the generation of the monitoring service altogether if it's not needed.

@mittwald-machine
Copy link
Collaborator

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

@mittwald-machine
Copy link
Collaborator

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

hensur added a commit to YannikBramkamp/kubernetes-secret-generator that referenced this issue Jul 9, 2021
@hensur
Merge branch 'master' into mittwald#41/Add-missing-rbac-for-monitoring
589d420
@mittwald-machine
Copy link
Collaborator

There has not been any activity to this issue in the last 30 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stale
Projects
None yet
Milestone
No milestone
5 participants
@diranged @martin-helmich @eranreshef @mittwald-machine @YannikBramkamp