You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've configured a ServiceAccount (patch-operator) with permissions to read and modify secrets and configmaps in a particular namespace. I have this role:
E0919 20:29:05.707142 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch /v1, Kind=Secret: failed to list /v1, Kind=Secret: secrets is forbidden: User "system:serviceaccount:lars-sandbox:patch-operator" cannot list resource "secrets" in API group "" at the cluster scope
The SA demonstrably has appropriate permissions in the namespace, for example, I can do this:
TOKEN="$(oc sa get-token patch-operator)"
kubectl --token="$TOKEN" patch cm argocd-cm -p '{"data": {"dex-config": "this is a test"}}'
configmap/argocd-cm patched
Why is the patch operator trying to list resources in the cluster scope, rather than using the namespace scope? I don't want the service account to have cluster-wide Secrets access.
The text was updated successfully, but these errors were encountered:
I am facing the same issue. It may be because sourceObjectRefs[].namespace is not taken into account, so your patch would be applied to all secrets with name dex-config (max one per namespace). Did you figure it out or you simply gave cluster-wide permissions ?
Yes I just saw thread #4 where you chased the issue and I saw your commit. Never mind, the permissions are cluster-wide but the target is namespaced (it works as expected), so it should be ok.
I've configured a ServiceAccount (
patch-operator
) with permissions to read and modify secrets and configmaps in a particular namespace. I have this role:And this rolebinding:
But when I deploy a patch that attempts to read from a ConfigMap and write to a Secret:
I see the manager logging:
The SA demonstrably has appropriate permissions in the namespace, for example, I can do this:
Why is the patch operator trying to list resources in the cluster scope, rather than using the namespace scope? I don't want the service account to have cluster-wide Secrets access.
The text was updated successfully, but these errors were encountered: