Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow running with operator role #75

Closed
otrosien opened this issue Mar 23, 2018 · 5 comments
Closed

Allow running with operator role #75

otrosien opened this issue Mar 23, 2018 · 5 comments
Labels
help wanted

Comments

@otrosien
Copy link

otrosien commented Mar 23, 2018
edited
Loading

Hi,

I have a deployment where I'm using the operator role for my kubernetes namespace, so I have full access, but only within my own namespace. chaoskube becomes ready but fails to operate.

pods is forbidden: User \\\"system:serviceaccount:poirot-test:operator\\\" cannot list pods at the cluster scope: unauthorized access system:serviceaccount:xxxxxxxx:operator/[system:serviceaccounts system:serviceaccounts:xxxxxxxx system:authenticated]
@otrosien
Copy link
Author

... readiness probe should probably fail if things like this happen.

@otrosien otrosien changed the title Allow running with reduced privileges Allow running with operator role Mar 23, 2018
@linki
Copy link
Owner

linki commented Apr 4, 2018

Perfect idea. I'll put this on my roadmap.

@linki
Copy link
Owner

linki commented Apr 4, 2018
edited
Loading

I didn't have RBAC in mind. Given the current implementation it always needs pod-reader access on a global scope. Which means limiting chaoskube to one or more namespaces doesn't allow you to also restrict its access to only those namespaces. This would be desireable as well.

@bavarianbidi
Copy link
Contributor

@otrosien please have a look at this PR: #91

could you paste the used role and rolebinding?

@linki linki mentioned this issue Jul 25, 2019
Open
@linki
Copy link
Owner

linki commented Jul 25, 2019

Created a dedicated issue for the readiness probe: #132

Avoiding global permissions is tracked here: #92

@linki linki closed this as completed Jul 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@linki @otrosien @bavarianbidi