rbac issue on team namespace

Question

rbac issue on team namespace

moh-abk opened this issue 5 years ago · comments

I've followed the guide and I'm getting this issue;

ts=2019-10-09T11:14:19.220962472Z caller=main.go:243 version=1.14.2
ts=2019-10-09T11:14:19.220997437Z caller=main.go:372 msg="using in cluster config to connect to the cluster"
ts=2019-10-09T11:14:19.292022192Z caller=main.go:450 err="secrets \"flux-git-deploy\" is forbidden: User \"system:serviceaccount:adam:flux\" cannot patch resource \"secrets\" in API group \"\" in the namespace \"adam\": RBAC: [clusterrole.rbac.authorization.k8s.io \"flux-readonly\" not found, clusterrole.rbac.authorization.k8s.io \"flux-psp\" not found]"

adam is the name of the team. any ideas?
the flux-git-deploy secret get's created but is empty.

Mohammed Abubakar · Answer 1 · Wed Oct 09 2019 19:29:35 GMT+0800 (China Standard Time)

this might be because I'm using flux 1.14.2 as 1.15.0 errors with - Failed to pull image "weaveworks/flux:1.15.0": rpc error: code = Unknown desc = Error response from daemon: manifest for weaveworks/flux:1.15.0 not found

Stefan Prodan · Answer 2 · Wed Oct 09 2019 19:31:32 GMT+0800 (China Standard Time)

There are 2 different bugs, let me fix the image first.

Mohammed Abubakar · Answer 3 · Wed Oct 09 2019 19:35:17 GMT+0800 (China Standard Time)

thanks - I've raised - fluxcd/flux#2507

Stefan Prodan · Answer 4 · Wed Oct 09 2019 19:38:45 GMT+0800 (China Standard Time)

About RBAC when you applied the team1 did it worked? I'm guessing you've created adam with the script right?

Mohammed Abubakar · Answer 5 · Wed Oct 09 2019 19:55:37 GMT+0800 (China Standard Time)

yes I used the script; i never tested with team1

with updated flux i get;

ts=2019-10-09T12:11:06.494326802Z caller=main.go:248 version=1.15.0
ts=2019-10-09T12:11:06.494373283Z caller=main.go:383 msg="using in cluster config to connect to the cluster"
ts=2019-10-09T12:11:06.697644963Z caller=main.go:461 err="secrets \"flux-git-deploy\" is forbidden: User \"system:serviceaccount:adam:flux\" cannot patch resource \"secrets\" in API group \"\" in the namespace \"adam\""

Mohammed Abubakar · Answer 6 · Wed Oct 09 2019 20:19:50 GMT+0800 (China Standard Time)

this fixed the issue - kubectl create clusterrolebinding kube-system-cluster-admin --clusterrole=cluster-admin --serviceaccount=adam:flux

Stefan Prodan · Answer 7 · Wed Oct 09 2019 20:26:37 GMT+0800 (China Standard Time)

Ok looks like there is a bug in kustomize v3.2.0.

Replace command: kustomize build . with command: kubectl kustomize . in .flux.yaml and start all over.

Mohammed Abubakar · Answer 8 · Wed Oct 09 2019 20:33:54 GMT+0800 (China Standard Time)

does this apply to the .flux.yaml in the team repo also?

Stefan Prodan · Answer 9 · Wed Oct 09 2019 20:36:47 GMT+0800 (China Standard Time)

If it works in the system flux repo then it should work in the team repo as well.

Stefan Prodan · Answer 10 · Wed Oct 09 2019 20:50:05 GMT+0800 (China Standard Time)

I've found a fix for it, see #9

Mohammed Abubakar · Answer 11 · Wed Oct 09 2019 21:14:56 GMT+0800 (China Standard Time)

thanks - that works 🙏 - does this setup work with Helm charts?

Stefan Prodan · Answer 12 · Wed Oct 09 2019 21:17:19 GMT+0800 (China Standard Time)

You could deploy a Tiller and Helm Operator per namespace. Ok I'm merging #9 if that solves it. Thanks for the bug report 👍