You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When deploying the operator, I should be able to use RBAC and limit the cluster-level access required to Custom Resource Definitions to only the required/related Resource with:
time="2020-02-28T22:07:17Z" level=info msg="Listening on :9710 for metrics exposure" src="asm_amd64.s:1337"
time="2020-02-28T22:07:17Z" level=warning msg="controller name not provided, it should have a name, fallback name to: *redisfailover.RedisFailoverHandler" controller=redisfailover operator=redis-operator src="generic.go:64"
time="2020-02-28T22:07:17Z" level=info msg="starting operator" operator=redis-operator src="main.go:87"
time="2020-02-28T22:07:17Z" level=error msg="Error received: error creating crd redisfailovers.databases.spotahome.com: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:operators:redisoperator\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope, exiting..." src="main.go:124"
time="2020-02-28T22:07:17Z" level=info msg="Stopping everything, waiting 5s..." src="main.go:101"
error executing: error creating crd redisfailovers.databases.spotahome.com: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:operators:redisoperator" cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluste
Apply the Deployment from all-redis-operator-resources.yaml into the operators namespace
Environment
How are the pieces configured?
Redis Operator = v1.0.0
Kubernetes = 1.13.2
RBAC is enabled
Logs
Same as above but with -debug as a flag:
time="2020-02-28T23:33:31Z" level=debug msg="debug mode activated" src="main.go:124"
time="2020-02-28T23:33:31Z" level=info msg="Listening on :9710 for metrics exposure" src="asm_amd64.s:1337"
time="2020-02-28T23:33:31Z" level=warning msg="controller name not provided, it should have a name, fallback name to: *redisfailover.RedisFailoverHandler" controller=redisfailover operator=redis-operator src="generic.go:64"
time="2020-02-28T23:33:31Z" level=info msg="starting operator" operator=redis-operator src="main.go:87"
time="2020-02-28T23:33:31Z" level=error msg="Error received: error creating crd redisfailovers.databases.spotahome.com: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:operators:redisoperator\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope, exiting..." src="main.go:124"
time="2020-02-28T23:33:31Z" level=info msg="Stopping everything, waiting 5s..." src="main.go:101"
error executing: error creating crd redisfailovers.databases.spotahome.com: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:operators:redisoperator" cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Examples of using kubectl auth can-i:
praymann@localhost ~> k auth can-i create customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
praymann@localhost ~> k auth can-i create customresourcedefinitions --as=system:serviceaccount:operators:redisoperator -n operators
no
praymann@localhost ~> k auth can-i delete customresourcedefinitions --as=system:serviceaccount:operators:redisoperator -n operators
no
praymann@localhost ~> k auth can-i update customresourcedefinitions --as=system:serviceaccount:operators:redisoperator -n operators
no
praymann@localhost ~> k auth can-i update customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
praymann@localhost ~> k auth can-i delete customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
praymann@localhost ~> k auth can-i list customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
praymann@localhost ~> k auth can-i get customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
praymann@localhost ~> k auth can-i watch customresourcedefinitions/redisfailovers.databases.spotahome.com --as=system:serviceaccount:operators:redisoperator -n operators
yes
The text was updated successfully, but these errors were encountered:
Expected behaviour
When deploying the operator, I should be able to use RBAC and limit the cluster-level access required to Custom Resource Definitions to only the required/related Resource with:
Actual behaviour
The operator enters CrashLoopBackOff with:
yet:
reports a
yes
.Steps to reproduce the behaviour
operators
namespaceoperators
namespaceoperators
namespaceEnvironment
How are the pieces configured?
v1.0.0
1.13.2
Logs
Same as above but with
-debug
as a flag:Examples of using
kubectl auth can-i
:The text was updated successfully, but these errors were encountered: