Specific Namespaces: unable to grant RBAC permission not currently held for resource "routes/custom-host"
wgordon17 opened this issue · comments
What happened:
Running oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/{role,serviceaccount,issuer-letsencrypt-live,deployment}.yaml
in an OpenShift Dedicated cluster, leads to the following error
Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/role.yaml": roles.rbac.authorization.k8s.io "openshift-acme" is forbidden: user "wgordon17" (groups=["dedicated-admins" "system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["route.openshift.io"], Resources:["routes/custom-host"], Verbs:["update" "delete" "patch"]}
What you expected to happen:
I expect no error
How to reproduce it (as minimally and precisely as possible):
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/{role,serviceaccount,issuer-letsencrypt-live,deployment}.yaml
Anything else we need to know?:
Removing this section from the role, appears to have let things work as expected (at least the pod isn't showing any error messages
- apiGroups:
- "route.openshift.io"
resources:
- routes/custom-host
verbs:
- create
- update
- delete
- patch
Environment:
- OpenShift/Kubernetes version (use
oc/kubectl version
):
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.7", GitCommit:"205da2b4a", GitTreeState:"clean", BuildDate:"2019-07-17T04:22:20Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.2", GitCommit:"4320e48", GitTreeState:"clean", BuildDate:"2020-01-21T19:50:59Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
AFAIK you need custom-host for setting the hostname. I think OpenShift Online had this under Pro offering.
It was always the case https://github.com/tnozicka/openshift-acme/blob/v0.8.0/deploy/letsencrypt-live/single-namespace/role.yaml#L24
Without that permission you can't create a Route with a hostname.
Thank you @tnozicka, I just tested with the previous role (where it was create
verb only), and it looks like that worked as expected.
Testing each verb, it turns out that only the create
verb works for me. I suspect the other verbs require/expect cluster-admin level permissions.
I don't see a reason at least update
would need elevated perms exept a bug in OCP. Maybe the other ones are not existing which is what causes the auth error. (Cluster admins have *
.) I think we use only create now, so I'll try updating the role.
Thanks! I can confirm that only having create
is enough for openshift-acme
to work it's magic. I just migrated all the individual deployments on my cluster to a single deployment watching multiple namespaces. Works like magic! 👍🏻