Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RBAC file needs to sync with operator #250

Closed
jpkrohling opened this issue May 25, 2021 · 11 comments
Closed

RBAC file needs to sync with operator #250

jpkrohling opened this issue May 25, 2021 · 11 comments

Comments

@jpkrohling
Copy link
Contributor

The issue still exists in latest version. I'm using chart 2.21.1 with image 1.22.1, I've set the following options:

rbac:
  create: true
  clusterRole: true

But I still see this log message:
E0525 08:30:16.437023 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:jaeger-operator:jaeger-operator" cannot list resource "namespaces" in API group "" at the cluster scope

But when I add namespaces to api groups "", everything works.

This is the role that helm has generated:

---
# Source: jaeger-operator/templates/role.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jaeger-operator
  namespace: {{ .Release.Namespace }}
  labels:
    
    app.kubernetes.io/name: jaeger-operator
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  - endpoints
  - persistentvolumeclaims
  - events
  - configmaps
  - secrets
  - serviceaccounts
  verbs:
  - '*'
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - replicasets
  - statefulsets
  verbs:
  - '*'
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - '*'
- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - get
  - create
- apiGroups:
  - io.jaegertracing
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - extensions
  resources:
  - replicasets
  - deployments
  - daemonsets
  - statefulsets
  - ingresses
  verbs:
  - "*"
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - "*"
- apiGroups:
  - route.openshift.io
  resources:
  - routes
  verbs:
  - "*"
- apiGroups:
  - logging.openshift.io
  resources:
  - elasticsearches
  verbs:
  - '*'
- apiGroups:
  - jaegertracing.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - '*'
- apiGroups:
  - apps
  - extensions
  resourceNames:
  - jaeger-operator
  resources:
  - deployments/finalizers
  verbs:
  - update
- apiGroups:
  - kafka.strimzi.io
  resources:
  - kafkas
  - kafkausers
  verbs:
  - '*'
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - '*'

Originally posted by @majidazimi in jaegertracing/jaeger-operator#931 (comment)

@jpkrohling
Copy link
Contributor Author

I just moved a comment from an issue from the jaeger-operator to here. The text above was written by @majidazimi, I claim no credit for it :-)

I believe that the problem might be that the Helm Charts need to synchronize with the cluster_role.yaml we have in the operator.

https://github.com/jaegertracing/jaeger-operator/blob/050e95a671d5cfceda848055d61af0968f5f68a3/deploy/cluster_role.yaml#L191-L199

@majidazimi
Copy link
Contributor

Let me update the chart and send a pull request.

@majidazimi
Copy link
Contributor

@jpkrohling I made it look exactly like upstream (including specific verbs). Also pod security policy part at the end is preserved. Is it sufficient? What chart version should I choose to bump? Maybe 2.22.0?

@chadlwilson
Copy link
Contributor

I think this is possibly duplicated by #241 ?

This seems also to be complicated by jaegertracing/jaeger-operator#1431 which seems to mean the chart in its current form is impossible to get working with either clusterRbac: true or individual namespace watching mode?

Would be great to get a fix merged. What help do we need here?

@roberth1988
Copy link

Could you guys merge this into the chart?

@mattcopas
Copy link

mattcopas commented Jul 2, 2021

Sadly this issue still persists with the latest version of the jaeger-operator chart

@majidazimi
Copy link
Contributor

@mattcopas I just updated yesterday and everything seems to work. The role that is generated has the following which solves the issue:

## Extra permissions
## This is an extra set of permissions that the Jaeger Operator might make use of if granted

## needed if support for injecting sidecars based on namespace annotation is required
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - 'get'
  - 'list'
  - 'watch'

## needed if support for injecting sidecars based on deployment annotation is required, across all namespaces
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - patch
  - update
  - watch

@chadlwilson
Copy link
Contributor

@mattcopas are you using the ClusterRole? You can get the same error with the individual namespace/Role model, I believe because the operator tries to access cluster-wide resources it doesn't have access to when operating in that mode.

@mattcopas
Copy link

@chadlwilson Apologies, the error I'm seeing is in our application. I tried deploying a version of hotrod in a different namespace to the jaeger operator and things are working fine! :)

@majidazimi
Copy link
Contributor

The PR is merged and the issue is resolved. I think we can close this ticket.

@perezjasonr
Copy link

Can we doublecheck that this is truly fixed? This is still being reported, here's my comment in another open issue:

#241 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants