Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rke1.4.4 upgrade calico to 3.24.1 rbac missing permissions #3221

Closed
yangzinan opened this issue Apr 17, 2023 · 5 comments
Closed

rke1.4.4 upgrade calico to 3.24.1 rbac missing permissions #3221

yangzinan opened this issue Apr 17, 2023 · 5 comments

Comments

@yangzinan
Copy link

yangzinan commented Apr 17, 2023

After the upgrade, ClusterRole calico-node is missing the following content causing install_cni not to start

    - apiGroups: [""]
      resources:
        - serviceaccounts/token
      resourceNames:
        - calico-node
      verbs:
        - create

ipamconfigs Missing creation permission

    - apiGroups: ["crd.projectcalico.org"]
      resources:
        - ipamconfigs
      verbs:
        - get
        - create

I now use addons to remedy this problem
I don't know if direct installation will also have this problem

@yangzinan
Copy link
Author

These rbac changes are supposed to fix this problem
projectcalico/calico#5910

@HcgRandon
Copy link

HcgRandon commented Apr 24, 2023

Also faced this issue. In addition there is an rbac permission issue with nginx-ingress too. Will open a separate issue shortly

@mateuszkwiatkowski
Copy link
Contributor

Confirming the issue.

The ClusterRoleBinding "canal-calico" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"calico"}: cannot change roleRef

@leitaof
Copy link

leitaof commented May 4, 2023

Also have same problem when trying to upgrade from rke 1.4.3 to 1.4.5
cni-installer/ : Unable to create token for CNI kubeconfig error=serviceaccounts "calico-node" is forbidden: User "system:serviceaccount:kube-system:canal" cannot create resource "serviceaccounts/token" in API group "" in the namespace "kube-system"

@github-actions
Copy link
Contributor

github-actions bot commented Jul 4, 2023

This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants