Cannot list secrets in namespace when created using kubeseal

Question

Cannot list secrets in namespace when created using kubeseal

AhaanShetty opened this issue 6 months ago · comments

Which component:
The name (and version) of the affected component (controller or kubeseal)
Controller
kubeseal version 0.24.3

Describe the bug
I created a sealed secret using the kubeseal command and have the necessary controller and other components successfully installed using a helm chart. Now when I run "kubectl get sealedsecrets", it shows the secret I just created but upon running "kubectl get secrets", it doesn't show up under there. I thought that as soon as a sealed secret is deployed, a regular secret and a sealed secret should be created. The logs from the controller are in the output section of this issue.
I have deployed kubeseal in the cluster in my namespace and using the restrictive encviornment instructions. I set the serviceaccount to one that is enabled for our namespace but seems like the undelying container is calling the cluster wide scope even though it has been deployed to only our namespace.
Our cluster admins do not allow crossing the namespace boundary. The code is written to list secrets at the cluster scope even though I am deploying using the restricted environment instructions. The service account also has the correct verbs in the cluster role API groups for the secrets-unsealer container. Kindly help with the same

To Reproduce
Steps to reproduce the behavior:

Expected behavior
The newly created secret using kubeseal should show up under sealedsecrets and secrets CRD but only the sealedsecrets CRD can be listed. The controller is unable to unseal the secret into the regular type

Version of Kubernetes:

Output of kubectl version:

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.23.6

Helm Chart

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
sealed-secrets  security        1               2023-11-16 14:14:52.801967432 -0500 EST deployed        sealed-secrets-1.5.10   0.24.3

E1117 17:53:12.679668       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:security:admin-security" cannot list resource "secrets" in API group "" at the cluster scope
W1117 17:53:56.496632       1 reflector.go:535] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:security:admin-security" cannot list resource "secrets" in API group "" at the cluster scope
E1117 17:53:56.496669       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:security:admin-security" cannot list resource "secrets" in API group "" at the cluster scope
W1117 17:54:05.600514       1 reflector.go:535] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1alpha1.SealedSecret: sealedsecrets.bitnami.com is forbidden: User "system:serviceaccount:security:admin-security" cannot list resource "sealedsecrets" in API group "bitnami.com" at the cluster scope
E1117 17:54:05.600542       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1alpha1.SealedSecret: failed to list *v1alpha1.SealedSecret: sealedsecrets.bitnami.com is forbidden: User "system:serviceaccount:security:admin-security" cannot list resource "sealedsecrets" in API group "bitnami.com" at the cluster scope

Additional context
Add any other context about the problem here.

Tewfik Ghariani · Answer 1 · Sat Nov 18 2023 05:24:58 GMT+0800 (China Standard Time)

This could be the same as #1091 / #1064

There was a feature added that allows the operator to watch the secrets and track their deletion in order to recreate them automatically

I faced the same issue and I had to disable that feature by setting skipRecreate to false

Ref: https://github.com/bitnami-labs/sealed-secrets/blob/main/helm/sealed-secrets/values.yaml#L63C1-L68C20

Ahaan Shetty · Answer 2 · Sun Nov 19 2023 07:33:10 GMT+0800 (China Standard Time)

Thanks for the reply @tewfik-ghariani . The issue is that I am able to create sealed secrets but when I do, it does not create regular ones and the above output was in the controller logs. Nevertheless I will install the controller using the option that you suggested

Alfredo Garcia · Answer 3 · Thu Nov 23 2023 18:24:12 GMT+0800 (China Standard Time)

Hi @AhaanShetty Installing the Sealed Secrets controller in a restricted environment can be challenging sometimes. The problem, as you can see in the controller logs, the problem is that you don´t have permission to list sealedsecrets with cluster scope.
I recommend you take a look at our documentation on how to deploy Sealed Secrets in a restricted environment.

Also, you should define the namespaces where the controller must work using the --additional-namespaces flag.

github-actions · Answer 4 · Sat Dec 09 2023 09:24:52 GMT+0800 (China Standard Time)

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions · Answer 5 · Sat Dec 16 2023 09:25:05 GMT+0800 (China Standard Time)

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.