Add missing permissions for operator role #1593
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
from
5e5d25f to
2d1953e
Compare
RafalKorepta
changed the title
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
2 times, most recently
from
eca22b8 to
5549163
Compare
The HorizontalPodAutoscaler was not added to permission set for the operator Role. The operator during GC operation log the following message: ``` W1106 11:08:59.308067 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v2.HorizontalPodAutoscaler: horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "redpanda" E1106 11:08:59.308100 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v2.HorizontalPodAutoscaler: failed to list *v2.HorizontalPodAutoscaler: horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "redpanda" ```
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
2 times, most recently
from
ff66f59 to
1d02f7c
Compare
Contributor
|
Have the permissions for HPAs been added to the operator itself? Seems like we're missing service monitors as well. Think we could add a test that asserts that the output permissions are the same as the results of running kustomize against the operator at |
Contributor
Author
|
@chrisseto |
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
2 times, most recently
from
fc4250f to
bdea57a
Compare
chrisseto
reviewed
Nov 7, 2024
| delete(helmRoleRules, consoleKey) | ||
| delete(kClusterRoleRules, consoleKey) | ||
|
|
||
| for k := range helmRoleRules { |
Contributor
There was a problem hiding this comment.
This to me says we should probably do something to make the permissions between the chart and the kustomize manifest much more similar 😓
Do you think it would help if we ran controller-gen in the operator separately for V1 and V2 so we'd have distinct sets that we can individually run kustomize on or merge via the default folder?
Contributor
Author
There was a problem hiding this comment.
That would be ideal! Should I do it right away and align this PR?
Contributor
There was a problem hiding this comment.
If you don't think it'll be too much extra effort, I'd be in favor of it!
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
2 times, most recently
from
71eea55 to
2c2cc6a
Compare
The Certificate from cert-manager customer resource had missing list and watch permission set for operator Role. The operator during GC operation log the following message: ``` W1106 11:46:57.392913 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Certificate: certificates.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "certificates" in API group "cert-manager.io" in the namespace "redpanda" E1106 11:46:57.392992 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Certificate: failed to list *v1.Certificate: certificates.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "certificates" in API group "cert-manager.io" in the namespace "redpanda" E1106 12:59:35.221498 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Certificate: unknown (get certificates.cert-manager.io) ```
The Issuer from cert-manager customer resource had missing list and watch permission set for operator Role. The operator during GC operation log the following message: ``` W1106 12:46:47.273317 1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: failed to list *v1.Issuer: issuers.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "issuers" in API group "cert-manager.io" in the namespace "redpanda" E1106 12:46:47.273598 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Issuer: failed to list *v1.Issuer: issuers.cert-manager.io is forbidden: User "system:serviceaccount:redpanda:redpanda-operator" cannot list resource "issuers" in API group "cert-manager.io" in the namespace "redpanda" E1106 12:59:31.320754 1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.3/tools/cache/reflector.go:232: Failed to watch *v1.Issuer: unknown (get issuers.cert-manager.io) ```
…oved The migration code was removed in redpanda-data/redpanda-operator#237
The Podmonitor is not created in Redpanda helm chart. Reference https://github.com/redpanda-data/redpanda-operator/blob/d329b7d39b31623b78ee00c0aa22ebadbe2af8f2/operator/internal/controller/redpanda/redpanda_controller.go#L116 https://github.com/redpanda-data/helm-charts/blob/c7c21fe10596b62648936d3243b856317ed0962c/charts/redpanda/servicemonitor.go
Default operator helm chart templates is compared with kustomize from redpanda-operator repository. Kustomize could deploy combination of cluster and namespace scoped operator. There are few exclusions and corss checks between helm Role and kustomize Cluster role.
Reference https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/user_controller.go#L37-L39 https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/topic_controller.go#L72-L74 https://github.com/redpanda-data/redpanda-operator/blob/a1865c2b39cf6f147dff7e7fff947dae6fc39ded/operator/internal/controller/redpanda/schema_controller.go#L33-L35
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
2 times, most recently
from
4e5fbfc to
2ecec97
Compare
RafalKorepta
force-pushed
the
rk/add-operator-permissions
branch
from
2ecec97 to
a5c4583
Compare
Contributor
|
Subsumed by #1595 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add HorizontalPodAutoscaler permission for operator role
The HorizontalPodAutoscaler was not added to permission set for the operator
Role. The operator during GC operation log the following message:
Add Certificate permission for operator role
The Certificate from cert-manager customer resource was not added list permission
set for operator Role. The operator during GC operation log the following
message:
Add Issuer permission for operator role
The Issuer from cert-manager customer resource was not added list permission
set for operator Role. The operator during GC operation log the following
message:
Release operator chart
Operator chart in version 0.4.33
Remove none existent empty API Group for leases
Leases are located in coordination.k8s.io API Group not in empty API Group.
Add helm and kustomize RBAC rules equivalence test
Default operator helm chart templates is compared with kustomize from
redpanda-operator repository. Kustomize could deploy combination of
cluster and namespace scoped operator. There are few exclusions and corss
checks between helm Role and kustomize Cluster role.
Remove white space in string
K8S-400