Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm: granting Rollouts Role permissions not always possible on restricted clusters when Rollouts is present #231

Closed
sfynx opened this issue May 4, 2021 · 2 comments
Closed

Helm: granting Rollouts Role permissions not always possible on restricted clusters when Rollouts is present #231

sfynx opened this issue May 4, 2021 · 2 comments
Labels
kind/enhancement New feature or request workflow/todo

Comments

@sfynx
Copy link
Contributor

sfynx commented May 4, 2021

We encountered an issue when installing Reloader into a single namespace on a cluster where we only have access to said namespace (in this case a multi-tenant OpenShift cluster). It looks like the Rollout permissions are always included in the Role when the argoproj.io/v1alpha1 API version is present in the cluster regardless of the reloader.isArgoRollouts toggle, due to the or operation:

Reloader/deployments/kubernetes/chart/reloader/templates/role.yaml

Line 47 in 2e47f17

{{- if or (.Capabilities.APIVersions.Has "argoproj.io/v1alpha1") (.Values.reloader.isArgoRollouts) }}

If the cluster administrator does not allow a tenant to access the Argo Rollout resources, then this Role cannot be installed because you cannot grant permissions you do not hold yourself, so it fails with an error like this:

roles.rbac.authorization.k8s.io "reloader-role" is forbidden: user "system:serviceaccount:xxxxx:yyyyy" (groups=["system:serviceaccounts" "system:serviceaccounts:xxxxx" "system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["rollouts"], Verbs:["update" "patch"]} {APIGroups:["argoproj.io"], Resources:["rollouts"], Verbs:["update" "patch"]}

Perhaps it would be more prudent to use and here, so you need to explicitly set reloader.isArgoRollouts to true before it gets enabled and attempts to grant these permissions?
@faizanahmad055
Copy link
Contributor

@sfynx would you please like to open a PR for this.

sfynx added a commit to sfynx/Reloader that referenced this issue Jun 16, 2021
@sfynx
Only enable Rollouts when enabled in Helm chart.
2e2fd2a 
This prevents a permission issue in case Rollouts is available on a cluster, but the user does not have permission to use it (e.g. as a tenant on a cluster without cluster admin rights), and therefore also may not set permissions for it.

See issue stakater#231.
@sfynx sfynx mentioned this issue Jun 16, 2021
Merged
@faizanahmad055
Copy link
Contributor

Closing the issue, as it has been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request workflow/todo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sfynx @rasheedamir @faizanahmad055